From 728e8f6aa8d442dd04d02257c78fc0ddcc36894c Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Wed, 27 May 2026 15:03:49 -0500 Subject: [PATCH 01/15] fix(integrations): emit stack-invariant OR ranges for related_integrations Replace find_least_compatible_version with find_compatible_version_range so prebuilt rules export the same related_integrations.version across stack backports. Bump version.lock for rules whose export changes. --- detection_rules/etc/version.lock.json | 3743 +++++++++-------- detection_rules/integrations.py | 148 +- detection_rules/rule.py | 22 +- tests/test_integrations.py | 97 +- .../test_integrations_version_performance.py | 105 + 5 files changed, 2204 insertions(+), 1911 deletions(-) create mode 100644 tests/test_integrations_version_performance.py diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 8e214315783..f6b11ecb85d 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -3,49 +3,49 @@ "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "f2eff7fde63919cf5ce12fc0a43b396d4f946d0b91202749bb8e1959ba503cbd", "type": "query", - "version": 416 + "version": 417 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "9fa5bb58f3f3b4c55a18dcad65a001a8a4217afcc2ced7112a1e295bcb5a79a2", "type": "eql", - "version": 321 + "version": 322 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", "sha256": "2fa22b5ffca90b0b5dda594ac010099051455bf90a1290e366e75c3f6c31f353", "type": "eql", - "version": 422 + "version": 423 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", "sha256": "dba5d16fb893bdb86a173237b75117a8e000bca4f1a47a96d9492119f8beea74", "type": "eql", - "version": 7 + "version": 8 }, "00546494-5bb0-49d6-9220-5f3b4c12f26a": { "rule_name": "Uncommon Destination Port Connection by Web Server", "sha256": "7dc587f4807bf20137a0a7d3a415b2807d481a1dd245b423be1d9addca63dff9", "type": "eql", - "version": 6 + "version": 7 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "91b36ea21ef5f2334a76a399ad91075977d7b149b9bab8bad35c854914d62420", "type": "query", - "version": 8 + "version": 9 }, "012bfca7-45cb-4507-a3ba-3777167f8b81": { "rule_name": "Google Workspace Device Registration After OAuth from Suspicious ASN", "sha256": "5020e674a38d5634ad2d4127128c09eab9c1131b1e448655eec8c5c6145427a0", "type": "eql", - "version": 1 + "version": 2 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Deprecated - M365 Security Compliance User Restricted from Sending Email", "sha256": "226cb4ca9b14010933649d9bac8285e8266edb900b2d835b38307bc6fb629385", "type": "query", - "version": 213 + "version": 214 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "Deprecated - AWS Redshift Cluster Creation", @@ -57,62 +57,62 @@ "rule_name": "Potential Network Scan Detected", "sha256": "5484efed9ed2e59b10577e3d86ecbe4dca7de9f28a241e509931c2595d8d9f4c", "type": "esql", - "version": 15 + "version": 16 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Detected - Elastic Defend", "sha256": "2b1277af9a824d07977a035ae4f6833f19e26f54f8e63a687a92d4333c198416", "type": "query", - "version": 5 + "version": 6 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "076646ab6716181a2c6a88272c23d0eff028f4d43e05b1b9ba681c8fb13bb83b", "type": "new_terms", - "version": 208 + "version": 209 }, "02137bc2-5cc2-4f7f-a8e4-c52dc239aa69": { "rule_name": "AppArmor Policy Violation Detected", "sha256": "88dba2a32e25df07ff1ec197f82476ff39ecf0522f67fee729ea5d919aaf7d62", "type": "eql", - "version": 1 + "version": 2 }, "02275e05-57a1-46ab-a443-7fb444da6b28": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities", "sha256": "539f711b818d81795aaa0685de7d462dde5553ec579eb775fdcf8f69ab9227d5", "type": "eql", - "version": 4 + "version": 5 }, "022c37cd-5a4f-422b-8227-b136b7a23180": { "rule_name": "Azure Arc Cluster Credential Access by Identity from Unusual Source", "sha256": "71236804fae2460ed5d446795ca47484be4217066c02e16e29684c83d8c4d403", "type": "new_terms", - "version": 3 + "version": 4 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "effdc73f270011dd596efce8ebf1cec1af482896d9c27adf8015357428042c50", "type": "eql", - "version": 211 + "version": 212 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "ea027afabe0d5c7840b6fa74533bd16b107d9fe59b134747165b941da38827f8", "type": "new_terms", - "version": 208 + "version": 209 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", "sha256": "c9ca8efdee1a28a5dab4c8569bdcc0b3f97a2dbf4857ba44b4691a0992a386ba", "type": "eql", - "version": 12 + "version": 13 }, "02a4576a-7480-4284-9327-548a806b5e48": { "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "6089c2d9e1a728c906a10e30c7d3eca6eb9962492dde251a805ef9e7b97f8ee6", "type": "eql", - "version": 312 + "version": 313 }, "02b4420d-eda2-4529-9e46-4a60eccb7e2d": { "min_stack_version": "9.4", @@ -128,56 +128,56 @@ "rule_name": "Spike in Group Privilege Change Events", "sha256": "d8194e445c87e8157a08b8aacf0fd3e0cafe76ef4c01be534907b1acb4c90108", "type": "machine_learning", - "version": 105 + "version": 106 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { "rule_name": "Potential Ransomware Note File Dropped via SMB", "sha256": "5888e1f7b14960dd1d20594bea541a44ae3029b63ca3ce47feb51f121784e9d4", "type": "eql", - "version": 8 + "version": 9 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "66859e52222069071bde2462f6cd971de312d63c6ca5da48abd9bde1d8a9986a", + "sha256": "461a4ec7597b693fe5f35f593cdf375a1d5d719622fcf7de882224c58a1eb06a", "type": "eql", - "version": 111 + "version": 113 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "M365 Exchange Email Safe Attachment Rule Disabled", "sha256": "a13cc41b5296170dea0f9410986cbb6e32524cd0655f9b7dd0cde9738b7fe8ae", "type": "query", - "version": 213 + "version": 214 }, "03245b25-3849-4052-ab48-72de65a82c35": { "rule_name": "GitHub Actions Unusual Bot Push to Repository", "sha256": "8299a1ebfbcff5d084b1ffd256aaa5dbf5d7929e8b0a9037bc7d83792b927b4c", "type": "new_terms", - "version": 3 + "version": 4 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", "sha256": "65e29cfdd640c3d225586aceda29585c5bc3a9e76ff34a0764f403094b8c9ade", "type": "threshold", - "version": 218 + "version": 219 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", "sha256": "6f7728c25cb5067fe5f3da92b9e429591bee6ca7b05b0dc967ed772bfc19c1d4", "type": "eql", - "version": 7 + "version": 8 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { "rule_name": "Suspicious Dynamic Linker Discovery via od", "sha256": "1955ce390a89fb19809e63ab7de3f8c5daa3aad4045bec36bcaa5b65779e457d", "type": "eql", - "version": 108 + "version": 109 }, "0398c0a2-1237-478e-84c4-84510f1925e6": { "min_stack_version": "9.3", "rule_name": "Suspicious Container Runtime CLI Execution", "sha256": "d5f015f6a331cc001e19f26c5ee3d237fb5ef1aa6b240399f308719833d3852f", "type": "eql", - "version": 1 + "version": 2 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", @@ -189,31 +189,31 @@ "rule_name": "First Time Python Accessed Sensitive Credential Files", "sha256": "aa5c2a00f56d00f3919acc63046fbd07594b643728777215c6faf15acefea5b8", "type": "new_terms", - "version": 2 + "version": 3 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", "sha256": "74510e92c414883b3395c16038036135ff8ab99e5598ed0fa19fdadd86e0b701", "type": "threshold", - "version": 8 + "version": 9 }, "03d856c2-7f74-4540-a530-e20af5e39789": { "rule_name": "Multi-Base64 Decoding Attempt from Suspicious Location", "sha256": "074027b2bad9f1ac786fc520f793d1c3f48adbf4c5dee422b7ac017e8197672a", "type": "eql", - "version": 3 + "version": 4 }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { "rule_name": "First Time AWS CloudFormation Stack Creation", "sha256": "5a13a67e1b4bf143cfe2a0d8d3447f6a60fc0715e8494ee228a0040708d817d9", "type": "new_terms", - "version": 8 + "version": 9 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Renaming of OpenSSH Binaries", "sha256": "9ee995138cffed589e949a0c429e822f01d39ee3d4e57daa0b0130de809eae76", "type": "query", - "version": 115 + "version": 116 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", @@ -235,98 +235,98 @@ "rule_name": "High Number of Protected Branch Force Pushes by User", "sha256": "eafae5474516c5620352bbf6fdc4e5746adb3cf882352bad06a19d7dbfd26020", "type": "esql", - "version": 104 + "version": 105 }, "043d80a3-c49e-43ef-9c72-1088f0c7b278": { "rule_name": "Potential Escalation via Vulnerable MSI Repair", "sha256": "e2c6fff3a05f4beae4ec1516c8b501efd3c644f9f9429d133b66003586f72649", "type": "eql", - "version": 207 + "version": 208 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Entra ID Global Administrator Role Assigned", "sha256": "9e8ad446f3a34d36c690d2af3ab183e06ef27545b244ce0b4f700d573cb8c71d", "type": "query", - "version": 108 + "version": 109 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { "rule_name": "User Added to the Admin Group", "sha256": "821c6dce76699d5db4ac9172fa84dc029f5ef229b4440a41bf7d9a375104654d", "type": "eql", - "version": 6 + "version": 7 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Suspicious Microsoft Antimalware Service Execution", "sha256": "c4b43d411a14ed5441f18c7ac996e4d2ca17ce62a46155c9b8ef8a35e8e612f9", "type": "eql", - "version": 219 + "version": 220 }, "054853f3-2ce0-41f3-a6eb-4a4867f39cdc": { "rule_name": "M365 Defender Alerts Signal", "sha256": "b4a2a0cb67bf979baded41864bc6fa10883535dc419e6b6488ba8b1c8d0fb907", "type": "query", - "version": 2 + "version": 3 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", "sha256": "af7ccb91cc20e0406d5dbf0a368623b91dbe2fe0345075123197e22162c25280", "type": "eql", - "version": 13 + "version": 14 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "489f0b6d8e4c6a6b209771bd6fe6a15862f20fa603d6b726a5b1c1446bfb9099", "type": "eql", - "version": 220 + "version": 221 }, "05a50000-9886-4695-ad33-3f990dc142e2": { "min_stack_version": "9.3", "rule_name": "System Path File Creation and Execution Detected via Defend for Containers", "sha256": "651ccae1e6baff5b1d018b9d02b49fa294970a75eddd6ad69ee73c7be6983531", "type": "eql", - "version": 2 + "version": 3 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "28db07df550ab0c72b01f5a00328a9a82b8baba0149cd6d30f2c8c1120db1690", "type": "eql", - "version": 314 + "version": 315 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "rule_name": "Tainted Kernel Module Load", "sha256": "d4df17e4c4a8b6081d4dc4c4682ee25d1ed06862635d77ea153047f150e1b1f7", "type": "query", - "version": 10 + "version": 11 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "aa3c02fb79c761a80f4964773218383ce6f2fa3d6edbb33b4228d9f58a4d7224", "type": "eql", - "version": 114 + "version": 115 }, "05f2b649-dc03-4e9a-8c4e-6762469e8249": { "rule_name": "Suspicious AWS S3 Connection via Script Interpreter", - "sha256": "bdcf91c78e9c5c094fb384d21437ea44ff202ce66a874ddeb50bbd6be3ecd14f", + "sha256": "669be78f871a6559df4a0c80ef44125d4cce232a4846f117ea367f27bf06a8c4", "type": "esql", - "version": 3 + "version": 5 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", "sha256": "287d45f63f9e0a5633a9830bc210991eedc0daf0db72f995831d011600a3b750", "type": "eql", - "version": 217 + "version": 218 }, "064a2e08-25da-11f0-b1f1-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk", "sha256": "fbb58851e7b0642dbb3d884af38bac704a32fd6065228ae2d97cc8769bf6a93f", "type": "query", - "version": 5 + "version": 6 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "rule_name": "System Time Discovery", "sha256": "3c5edef6420d3b719294df8da79f6f77b0e473d0d2f3bbd1fa89103aa8f53bcf", "type": "eql", - "version": 114 + "version": 115 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "min_stack_version": "9.4", @@ -342,97 +342,97 @@ "rule_name": "Unusual Remote File Size", "sha256": "ea21c2579a2ea6d078cc251597362fa05d6ad0a2b65fc498d6c5059636d8b638", "type": "machine_learning", - "version": 109 + "version": 110 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "61186ac011e99a690ffc2ca0232ca0d4c1a56577cd1b882fc838f4adec3b1372", "type": "eql", - "version": 215 + "version": 216 }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { "rule_name": "Dynamic Linker (ld.so) Creation", "sha256": "6350e0d9141e53b3f2c4ecc5b9384512cd89637b34bb845ffedb10e893777303", "type": "eql", - "version": 107 + "version": 108 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", "sha256": "e0fc6fce12b37afcc2729cc67ce98534a81f241684b19f9763e9f1220fd3d190", "type": "eql", - "version": 220 + "version": 221 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Prevented- Elastic Defend", "sha256": "39ab8efbaba1708840ab6193657a5a186f3a085b6224598c77a08006514293dd", "type": "query", - "version": 4 + "version": 5 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "b61bad8552dae17b256c73cb62eb7e5240586363ca2bdfae7dce74ffc35cb129", "type": "eql", - "version": 318 + "version": 319 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "5b3ad0cab15b804ec79acfddc6075930f20e13bdc9b7df71afa2bab6135aa015", "type": "eql", - "version": 210 + "version": 211 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", "sha256": "2a82445079956301b16981f1c33b9a8f5c65ffee6d2ef7b6948e62f24689a072", "type": "threshold", - "version": 9 + "version": 10 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "e5ead4056278a234ee157310599f05d05e66fe7be04c4658c711e90a8fbfdd8e", "type": "eql", - "version": 321 + "version": 322 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "cf7654ebd4c213e045aaa2ad22109e5d4d8d75c557757a8402eabe3919da5acb", "type": "query", - "version": 111 + "version": 112 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", "sha256": "e0131321585947ebb113994bcb41271b69a40753710365ea30b2a1204ad5008d", "type": "eql", - "version": 113 + "version": 114 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Service Creation and Immediate Loading", "sha256": "6e6a989495990c86ba5a6dc1a3178fbe5dc8a8e23542837ce40be022461703e9", "type": "eql", - "version": 112 + "version": 113 }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", "sha256": "df58a717def18bd6b87e4ee7c0b9b92e104cfaef8714f6029f3f4cc26a4c2f7a", "type": "esql", - "version": 11 + "version": 12 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", "sha256": "3e6315c69df778ac0ee943ef7672b9725a6c36ecdedf6c955d1609b9f0c936cc", "type": "eql", - "version": 111 + "version": 112 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "rule_name": "First Time Seen Removable Device", "sha256": "8d49ac6a7e4266309a445287ddba7de4a7c3953b54030f6bb1b22a2579d6e607", "type": "new_terms", - "version": 214 + "version": 215 }, "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": { "rule_name": "Node.js Pre or Post-Install Script Execution", "sha256": "f161b256265c51cd268982d28acc9d9220cc7c1aba15a8b036c39d9ae9253da3", "type": "eql", - "version": 4 + "version": 5 }, "08933236-b27a-49f6-b04a-a616983f04b9": { "rule_name": "Alerts From Multiple Integrations by Destination Address", @@ -444,7 +444,7 @@ "rule_name": "Windows Account or Group Discovery", "sha256": "ce8ca8f191f83b34e7b0a028117f3ed158af3ebc4c3f9d40a1614f01033cd93e", "type": "eql", - "version": 8 + "version": 9 }, "08be5599-3719-4bbd-8cbc-7e9cff556881": { "min_stack_version": "9.4", @@ -460,7 +460,7 @@ "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", "sha256": "cba194c97b4198045ac48cbff7beb5cf8aa6cd337abe8b945d0e921ea725f96c", "type": "machine_learning", - "version": 104 + "version": 105 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -472,13 +472,13 @@ "rule_name": "Attempt to Clear Logs via Journalctl", "sha256": "dc61913b2bea0be5a6013cb04da91ce28b84fce2780a58eb7bcb8c1a871ba003", "type": "eql", - "version": 2 + "version": 3 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", "sha256": "89f5838ed3a10f58fb95b54bf3a065b1edfcbccc6e82ba7249e7714ec14af877", "type": "eql", - "version": 113 + "version": 114 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Deprecated - Process Termination followed by Deletion", @@ -490,7 +490,7 @@ "rule_name": "Member Removed From GitHub Organization", "sha256": "2ffad86dda9d63530d2b961af027f8ccf552593370bec658c394b6bfbee14ed9", "type": "eql", - "version": 206 + "version": 207 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -512,25 +512,25 @@ "rule_name": "Spike in Special Logon Events", "sha256": "af7d7f8466de0579c7532f0e4cc5b23f711bc0484f6e516cc0f3962f7e510a6c", "type": "machine_learning", - "version": 104 + "version": 105 }, "098bd5cc-fd55-438f-b354-7d6cd9856a08": { "rule_name": "High Number of Closed Pull Requests by User", "sha256": "f46d127ff65faf71c8a8b0f3fb5821e6deb79ff046965cbe27aa8f63f7229354", "type": "esql", - "version": 4 + "version": 5 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "sha256": "21a80a8417bb2147dbcfad3bbd1dbac0c463712efa27f14464c0547f66e34582", "type": "eql", - "version": 11 + "version": 12 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure VNet Firewall Front Door WAF Policy Deleted", "sha256": "2d00df8fc7b00a913e0c182043c1a112d1b2690af2c81572f80ad04a284e5df0", "type": "query", - "version": 108 + "version": 109 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", @@ -542,19 +542,19 @@ "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "sha256": "6a2860edb5ebe67b8ddbfd0633c2fc64f43eb9a1a0b6cb59f298b6e207944b51", "type": "query", - "version": 9 + "version": 10 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "rule_name": "Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "62831c7e91ee7ce21ec1904ea276f67fc1771d890a541a18fba380632f6a8e04", "type": "query", - "version": 213 + "version": 214 }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", "sha256": "dbae98880bf9a0c1e97107f8d4f2e8db844623eea45f77f379c744c955ea36dc", "type": "eql", - "version": 10 + "version": 11 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "9.4", @@ -570,61 +570,61 @@ "rule_name": "Anomalous Windows Process Creation", "sha256": "4322d572dd7347e0c0b1fe18bb2c528d15656965e263d2d9209a6ccbe24facdd", "type": "machine_learning", - "version": 312 + "version": 313 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", "sha256": "02414f778b92b4c687768c61989adb3f2b632c354674ecf7c580d1e549cdba9b", "type": "query", - "version": 221 + "version": 222 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", "sha256": "09dffcc4e5124f18d47919fe93f50abaeb60d6834acf7ead306f212a6eba4afd", "type": "eql", - "version": 6 + "version": 7 }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", "sha256": "930b95c69bf6eea872d22434afefa58e36c3427fe3074d3010aa7531c87510b7", "type": "eql", - "version": 7 + "version": 8 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "rule_name": "Potential Shell via Wildcard Injection Detected", "sha256": "7d77a4998b0ebb67b07e857ede2aade5168aa1ae3854965f321bbac0e38be89f", "type": "eql", - "version": 113 + "version": 114 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "rule_name": "Attempt to Establish VScode Remote Tunnel", "sha256": "438c321a47c109bde474d6eeb1ea633ec7f60705edf876aaaa4b0a8dfec1af2b", "type": "eql", - "version": 112 + "version": 113 }, "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "rule_name": "Elastic Defend and Network Security Alerts Correlation", "sha256": "15b613d3ba0acece6a8253f34df9e3f8528ec9a65642dfb2585425a083f8b7a6", "type": "esql", - "version": 7 + "version": 8 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", "sha256": "eea37dd20530605c66b9747aec38cabb0194bce5bb2991f9b1744136a6c3cf26", "type": "eql", - "version": 5 + "version": 6 }, "0c1e8fda-4f09-451e-bc77-a192b6cbfc32": { "rule_name": "Potential Hex Payload Execution via Common Utility", "sha256": "93cd06950bf1b69b6bd8abd8923e82b0e7c578c6e93606cfcd6be0f5909f8bb7", "type": "eql", - "version": 107 + "version": 108 }, "0c3c80de-08c2-11f0-bd11-f661ea17fbcc": { "rule_name": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User", "sha256": "990caac706a81700f2a8457d690ca56ba943e899e776bb8e8d053ee4aa3d5d13", "type": "new_terms", - "version": 8 + "version": 9 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", @@ -636,13 +636,13 @@ "rule_name": "Ransomware - Detected - Elastic Defend", "sha256": "4cd274302356966cd95f09c1100bc8a7ded3746edf7901cc0a36a7d8a85120fb", "type": "query", - "version": 5 + "version": 6 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", "sha256": "156bd381d564774d81e1860d26cfc6d4a84a75a320968e06ed2b550945efaa1c", "type": "eql", - "version": 316 + "version": 317 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "rule_name": "Deprecated - Threat Intel Indicator Match", @@ -664,19 +664,19 @@ "rule_name": "High Command Line Entropy Detected for Privileged Commands", "sha256": "e1065505966fda7f392ba493ac2b31b91e6f378c082d6704f3134ac39a389494", "type": "machine_learning", - "version": 104 + "version": 105 }, "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", - "sha256": "b8b8dd78b8c6c7dc7963683187e44adf10d7f96d6f8fb08ea9d8a6f1015f376b", + "sha256": "2d520b970c95e1e70958288a6575a3b71c21e856ff41cb18b171b44506169b45", "type": "esql", - "version": 8 + "version": 10 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "M365 Exchange Mailbox High-Risk Permission Delegated", "sha256": "894f2eba51cb0eb9109b09f87d273ae20204ec8d8ff1a5d3cd366e6650808047", "type": "new_terms", - "version": 214 + "version": 215 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", @@ -686,21 +686,21 @@ }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph", - "sha256": "51e32252c859489884ccd4518fe7dae46ab0cea3f05342fccdf9a5b466fc0e2c", + "sha256": "472e86a957fc6ecf72dde9cd5c8c0671d265c7ca592ce1fab10419723a16ecbc", "type": "esql", - "version": 10 + "version": 12 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", "sha256": "dd76e3f0f0d4cc6807c6afcd4c5894467e3047dd19959748a879badf05fd647a", "type": "eql", - "version": 213 + "version": 214 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "3a48b704510ee51161efcef2c5705490f323ebcfa4d2df40ecc16fad5fff2fe8", "type": "eql", - "version": 115 + "version": 116 }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { "min_stack_version": "9.2", @@ -716,49 +716,49 @@ "rule_name": "AWS Access Token Used from Multiple Addresses", "sha256": "77f473d39331e99c4f5139d471dc7043828fe6b9f3f0cddcf60878264857b71a", "type": "esql", - "version": 208 + "version": 209 }, "0dd84246-a723-49ba-9f4e-a1e1dfa15990": { "rule_name": "Potential Privilege Escalation via unshare Followed by Root Process", "sha256": "6118b8b7dee465096a34d550a7c8f2720f92f9506cf447e07f2c3b5f821c5f26", "type": "eql", - "version": 1 + "version": 2 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", - "sha256": "6319c31a290d00e0983d81b1971155caa96f3687a61721f79286857c1bbbbab0", + "sha256": "abe81409b4f3930ca47eebd6a12cc582818fdd323afa0d361dd47d0e3ae9a830", "type": "esql", - "version": 5 + "version": 7 }, "0e42f920-047d-4568-b961-2a50db6c4713": { "rule_name": "Potential Persistence via Mandatory User Profile", "sha256": "b8d61454cd6ec06100946627852de41f7198a191f70683750b03297e6247a441", "type": "eql", - "version": 3 + "version": 4 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "15cd22677a8340711fed0f7030ff28056951bba6f1f4f4c74dacd31c27371ef5", "type": "new_terms", - "version": 208 + "version": 209 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "M365 SharePoint Malware File Detected", "sha256": "219149d921e9d74f4d05b7c228fa56ee3ae14df3a2c0373e981d498069bb89f4", "type": "query", - "version": 213 + "version": 214 }, "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { "rule_name": "M365 OneDrive/SharePoint Excessive File Downloads", "sha256": "f8d745a83d271544f83eefd939f7a08615847df7c8b31a345065cbc06db50ccd", "type": "esql", - "version": 9 + "version": 10 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", "sha256": "a7de922125422835641adbae4ac03d3876d7db4b40c6a39e3039ef79757b5c0a", "type": "query", - "version": 109 + "version": 110 }, "0e67f4f1-f683-43c0-8d45-c3293cf31e5d": { "rule_name": "Lateral Movement Alerts from a Newly Observed Source Address", @@ -770,7 +770,7 @@ "rule_name": "MsBuild Making Network Connections", "sha256": "1d2f40489c68453c001300064c4191b3c1118961bcbf8f98ef0ae3d7af2a7f6a", "type": "eql", - "version": 216 + "version": 217 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { "min_stack_version": "9.3", @@ -786,43 +786,43 @@ "rule_name": "Sensitive Audit Policy Sub-Category Disabled", "sha256": "ab3e71024a071b7fdfe5a78867ce7b97ee798a14a25a3ad4d5f93579c8d00be5", "type": "esql", - "version": 107 + "version": 108 }, "0f189343-dac7-4c1b-aca7-be8baa6bd02b": { "rule_name": "AWS EKS Control Plane Logging Disabled", "sha256": "3f3f94a9b977bf64c7ab034eb092132c770650ad6b1b602c9b5acc30f8c458da", "type": "query", - "version": 1 + "version": 2 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", "sha256": "0dd7907213fe1c2007ed13fc265447af5e1da11ec3932ac1bd234bac879ddd75", "type": "eql", - "version": 120 + "version": 121 }, "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { "rule_name": "Polkit Policy Creation", "sha256": "390e710ade2de69e142c5ee48c04471d137a80031e3679e2c9675a40dbc10e4e", "type": "eql", - "version": 107 + "version": 108 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "rule_name": "Netcat Listener Established via rlwrap", "sha256": "a0f0ae4b269a171b856191b76721c04753d2c3ed780decf03817b56e352235ee", "type": "eql", - "version": 109 + "version": 110 }, "0f5941c6-3db9-4d2f-91df-06c7c292ba45": { "rule_name": "Kubernetes Client Certificate Signing Request Created or Approved", "sha256": "6822f4f5fe5d3e698af1b1c09028b6c177c248af8515e0f1c7618e273ed73a8c", "type": "query", - "version": 1 + "version": 2 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "rule_name": "Behavior - Detected - Elastic Defend", "sha256": "d8fb41394bccffb0c9806c9a2edcf0cd1eefa2bc71a5d98d020b766f1e9e0c1c", "type": "query", - "version": 5 + "version": 6 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -834,20 +834,20 @@ "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "877b148eb16e5925faa6420c7ce4e5af877518280357765cf8b26d314d4866a4", "type": "threshold", - "version": 314 + "version": 315 }, "0fb25791-d8d4-42ab-8fc7-4954642de85f": { "rule_name": "Kubernetes Creation or Modification of Sensitive Role", - "sha256": "b9c97990e6ca915c311408c981892865fdd39e7032758dd0bf98eb9c14eb5af0", + "sha256": "04c07a1e6ccab3425baf4670e28552a9c9780f4762960cf484cf3abc3bd0bb31", "type": "esql", - "version": 3 + "version": 5 }, "0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": { "min_stack_version": "9.3", "rule_name": "Decoded Payload Piped to Interpreter Detected via Defend for Containers", "sha256": "99daa90cdf83d5fa31673dca3684a322c5b9b12882dbc2d4e82acfbc4a249401", "type": "eql", - "version": 2 + "version": 3 }, "0fe2290a-2664-4c9c-8263-b88904f12f0d": { "min_stack_version": "9.3", @@ -863,25 +863,25 @@ "rule_name": "Kubernetes Sensitive Configuration File Activity", "sha256": "bfc840c4e0154ce1c816dc7e6d4b277b6a431df45094be45f5f6c0166ac02aa4", "type": "eql", - "version": 103 + "version": 104 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "36da4f7c17d19fd33bbe592e8381c3917e11c309d47f43c7909d76b2740eb47b", "type": "eql", - "version": 110 + "version": 111 }, "1004ad5b-6900-4d28-ab5b-472f02e1fdfb": { "rule_name": "AWS SSM Inventory Reconnaissance by Rare User", "sha256": "1531a1d1f980b959ce58e42c0fb6a88915457be59be0697a2a52c266a55d4f25", "type": "new_terms", - "version": 3 + "version": 4 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", "sha256": "65b7cb64433981f1907a05a2af586fe1deaa32e3e04f391a3b8be11d65cd67ef", "type": "query", - "version": 5 + "version": 6 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", @@ -893,37 +893,37 @@ "rule_name": "WebProxy Settings Modification", "sha256": "7a9a8ca308fe9d2c8060cae7cf57cb65402bef0f911c86790a0d29b8e978c4b7", "type": "eql", - "version": 211 + "version": 212 }, "10f3d520-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Ransomware - Prevented - Elastic Defend", "sha256": "3d0922a96d70e3acfbd3d41bfb8c15881b2c0754486948513d6e29ced4a004e4", "type": "query", - "version": 5 + "version": 6 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", "sha256": "be1fc253ed58440f6af839e8e5f79978eba0a908da3adb6fa9713f774fb8a7c0", "type": "query", - "version": 110 + "version": 111 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "f9bf3e298b294a41bb1856889477dcec525ec04804459de0294f14714ad143eb", "type": "eql", - "version": 219 + "version": 220 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "1224c28727d499af370240ca8e5ed7432294872e5d5258d9eedba7a8d8b72bb1", "type": "eql", - "version": 318 + "version": 319 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", "sha256": "b78786276c865fe5602cfe809acdf9d0912624f137a0cf4049b4b5aefb497f84", "type": "query", - "version": 213 + "version": 214 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -935,19 +935,19 @@ "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "a549668ec7559114b0115b356167686dc385ac990b386fb5e9f2b612c992357d", "type": "query", - "version": 119 + "version": 120 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "e2639febbe6e8a624a43a1a5782021cc15db735aef9129b0760de784416247ab", "type": "eql", - "version": 217 + "version": 218 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "66bfe584a46f9c27ec808d78ca7f975b9ce6104c3bd2991510676d76e7e38cb5", "type": "query", - "version": 213 + "version": 214 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -969,13 +969,13 @@ "rule_name": "User Detected with Suspicious Windows Process(es)", "sha256": "f46f877d99943deae9fa5622e50247b35000bc4fa24fcdc5637f394a543ec995", "type": "machine_learning", - "version": 211 + "version": 212 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", "sha256": "1360886265d6aeb35c9b356643d02b243b43284698ffec99bd03641da8d34084", "type": "query", - "version": 4 + "version": 5 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -987,43 +987,43 @@ "rule_name": "Suspicious Lsass Process Access", "sha256": "13ea12c18b065bc285ea95a16119242a9882ef4c3103f521a1c701921ec69cd5", "type": "eql", - "version": 212 + "version": 213 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent", "sha256": "7c11440601de84729a35dfa170c057f749e1ed8943734cdad5d540f97f0900bf", "type": "new_terms", - "version": 211 + "version": 212 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", "sha256": "957cd8a8925cca175889fadff063ff73d18f178be083cbff70f868dfff58ad72", "type": "query", - "version": 210 + "version": 211 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "d32351494ff1b9ffd9ba55acf3ca09d761a8cc3d4944657b331a3e2cd0c2a611", "type": "eql", - "version": 211 + "version": 212 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "12486e435a49a8d6ae015693d43d444504c7f0ce79d8ac3f8e560b1a067e9cae", "type": "eql", - "version": 322 + "version": 323 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", "sha256": "a4cef089a97baa377ce98b7cb50c1a47a4a67b0f74e854692264582b8a57614e", "type": "eql", - "version": 416 + "version": 417 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", "sha256": "a9b1539d0e9db24ff1c2c89fbce7703a1e17089844275ce75a152f357dcffb33", "type": "eql", - "version": 107 + "version": 108 }, "138520d2-11ff-4288-a80e-a45b36dca4b1": { "min_stack_version": "9.4", @@ -1039,7 +1039,7 @@ "rule_name": "Spike in Group Membership Events", "sha256": "6833917467dfd8d34a81995993907c41c52722e7afecb30ec5fec5641477c8f2", "type": "machine_learning", - "version": 104 + "version": 105 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "9.4", @@ -1055,13 +1055,13 @@ "rule_name": "Rare User Logon", "sha256": "e7b1144434301dcf8d3c853460221fd971055d06b21eae12d6434b5e898d91e3", "type": "machine_learning", - "version": 207 + "version": 208 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - Note Files by System", - "sha256": "a4773853ce1ea436c93f739ecc375ebc074829200e0ed449ee0e3bec0becb585", + "sha256": "a9f85172bac9830301829a91b05587e31bd7f5ab365927804ae2705b2f5ef2de", "type": "esql", - "version": 215 + "version": 217 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -1073,85 +1073,85 @@ "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", "sha256": "526f288219500704dab7160a26e0af9e6dbb812dcf0e2b12895e0f2412792343", "type": "eql", - "version": 13 + "version": 14 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Entra ID External Guest User Invited", "sha256": "3cc4581f69c27422b3f2353597665249059ba22ef323c49c2b97218a803eaac9", "type": "query", - "version": 109 + "version": 110 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "0ad5c2e271c9001326aa27dfc63f6c35a4138bc03e6a1e4db48aaeac803e30f6", "type": "query", - "version": 111 + "version": 112 }, "14dab405-5dd9-450c-8106-72951af2391f": { "rule_name": "Office Test Registry Persistence", "sha256": "6ae151273f3904946010828516f37ea7cb7152e34ac5eebb85174cd704f59d78", "type": "eql", - "version": 109 + "version": 110 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", "sha256": "b84822387863316ee7e038ffc13bbf210e9d66bdd21bc0c4cbc1806a7a261d09", "type": "eql", - "version": 211 + "version": 212 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "5fb9943cdf453b43370e6f92b8be06a5dfe213e2bcd3566aa2e2bd08e9d21e7b", "type": "eql", - "version": 317 + "version": 318 }, "14fa0285-fe78-4843-ac8e-f4b481f49da9": { "rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application", "sha256": "1d5cd26347a6790ae2294701743b179765b2d5f29842f30b7564687d387f8cc7", "type": "query", - "version": 8 + "version": 9 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "da0623d8382c2550dc8e2605907d304a97ce85101085e93eaae2be757ed6242f", "type": "new_terms", - "version": 209 + "version": 210 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", "sha256": "1e38ba5abce5df6e94d4f7ff4ef607302c6726044195ba8953854867fec17b60", "type": "eql", - "version": 8 + "version": 9 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", "sha256": "4f8dae1671164a15e104cf7087d42d6a879f2c0809501137ee183c0f3f3ee364", "type": "eql", - "version": 7 + "version": 8 }, "15606250-449d-46a8-aaff-4043e42aefb9": { "rule_name": "Suspicious StartupItem Plist Creation", "sha256": "f63835bd6dbd1ae1525c1f9d9b34983545dcb86f455e65e49d50b96726bcd6c8", "type": "eql", - "version": 1 + "version": 2 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "7c14ff284718226ea6475885fa3d285019ef181a69705bed2afb9f25ce81b4fc", "type": "eql", - "version": 216 + "version": 217 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "62c79ce5bae7cf736a51c50a7e07508e4a50999a807161a4e0c68835b2a29780", "type": "eql", - "version": 320 + "version": 321 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", "sha256": "11df8567d6795588d2f0b1c35dd8ca813fcf809258461c5483790a459bdc1cc9", "type": "eql", - "version": 113 + "version": 114 }, "1600f9e2-5be6-4742-8593-1ba50cd94069": { "min_stack_version": "9.3", @@ -1167,7 +1167,7 @@ "rule_name": "Kubectl Permission Discovery", "sha256": "88b8163bdbf4231ba333b88a4662e21abc05924a08f51847cda7ed108328e09c", "type": "eql", - "version": 106 + "version": 107 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "min_stack_version": "9.3", @@ -1183,67 +1183,67 @@ "rule_name": "Potential release_agent Container Escape Detected via Defend for Containers", "sha256": "83cc6f40e6132026e20c447cd04f8cba5947105f81fe35a20b393a650d0ca896", "type": "eql", - "version": 104 + "version": 105 }, "1615230f-beb7-48d8-9b3f-6d10674703bf": { "rule_name": "Suspicious SIP Check by macOS Application", "sha256": "fa8c6092c9b9b8566ea7901262f4a9a3660b455e07ecb434fb833cdee30197d6", "type": "eql", - "version": 2 + "version": 3 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "090781ceb0f70e5c6d5854c34e2def7e8983a8c0fc34e614674ef24f4a9c74d9", "type": "query", - "version": 108 + "version": 109 }, "163a8f2f-c8a0-4b7e-9c4a-1184310eb7f3": { "rule_name": "Potential CVE-2025-32463 Nsswitch File Creation", "sha256": "811b20416cead7025ab23de710ac19ed81924cc270507221b356a395d5fd4940", "type": "eql", - "version": 3 + "version": 4 }, "166727ab-6768-4e26-b80c-948b228ffc06": { "rule_name": "Potential Timestomp in Executable Files", "sha256": "d412a6320c3b63e9d14e2897865c8df7a907154312cbc26891375687109ccfa0", "type": "eql", - "version": 111 + "version": 112 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", "sha256": "d044c2e031f6739d53c3387ad4e0c7f4e1617a0fad10f442fa29118f43b2a0e0", "type": "eql", - "version": 112 + "version": 113 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", "sha256": "a18672298cd92d568cb52d61601a039e39aa68213d8dc698fcdfa49d06280434", "type": "query", - "version": 212 + "version": 213 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", "sha256": "d4267bbb2896541227ff0042bb5fd07bf0d5d673472429d931cda1a80f41b666", "type": "eql", - "version": 120 + "version": 121 }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", - "sha256": "6b1835065de149596f5514acac7116d616ab69afd1ff4bd6c3187a13fe27493f", + "sha256": "d6e67ba8f5d522fdaf54905ce6676e2bf94e5b7fd3b04aa26f92e5975ffa52e5", "type": "esql", - "version": 8 + "version": 10 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "e9d66fb58444a717fbb2b15ebf5f7ed7e2d888737fdf681a8537349fb9d7f291", "type": "eql", - "version": 216 + "version": 217 }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", "sha256": "96017fdffa7b8eafbd4630fac4ec0b8079bee2375bcd6ab550558ff48cf9bf1f", "type": "eql", - "version": 7 + "version": 8 }, "171a4981-9c1a-4a03-9028-21cff4b27b38": { "rule_name": "Suspected Lateral Movement from Compromised Host", @@ -1253,9 +1253,9 @@ }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", - "sha256": "2eeb4a2916c11aeca4185ded593f86975317296adad1f32d19f4d5f39f380f53", + "sha256": "5b8d5a1b99c6b3e9b8f23db751a98aa42d12ea85d9927aac93c2ed685d2b6655", "type": "esql", - "version": 7 + "version": 9 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "9.4", @@ -1271,7 +1271,7 @@ "rule_name": "Unusual Windows Username", "sha256": "439a53c97f890e9069f64ade7995b100cf7c08ab3c4305b076c384db5cf6477d", "type": "machine_learning", - "version": 310 + "version": 311 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "9.4", @@ -1287,7 +1287,7 @@ "rule_name": "Unusual Windows Service", "sha256": "0eea7398ab7fbbc674a804b6fc2fb7f331e747e7c1a28927089d51e5254a48de", "type": "machine_learning", - "version": 310 + "version": 311 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "9.4", @@ -1303,7 +1303,7 @@ "rule_name": "Suspicious Powershell Script", "sha256": "815e86bb07efd5d73767e45677054f24f0b072412b4ba7210f195289eb9e9832", "type": "machine_learning", - "version": 311 + "version": 312 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "9.4", @@ -1319,7 +1319,7 @@ "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "ac8baea0b2fd71b85c09a46482ad8e3c79f0334488c25ee2018c79f274231c4c", "type": "machine_learning", - "version": 310 + "version": 311 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "9.4", @@ -1335,7 +1335,7 @@ "rule_name": "Unusual Windows Remote User", "sha256": "c2541cadb2d1d9936e120b6daad7cae971b5d2ba79deb01bc3a044a885695f5b", "type": "machine_learning", - "version": 310 + "version": 311 }, "178770e0-5c20-4246-b430-e216a2888b23": { "min_stack_version": "9.4", @@ -1351,25 +1351,25 @@ "rule_name": "Spike in User Lifecycle Management Change Events", "sha256": "78e9dfe6280543b50244e70ade9ca9266f8f77531dcb55cdc872a95de1c944ae", "type": "machine_learning", - "version": 105 + "version": 106 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", "sha256": "4c1feb2d691a715844f24edbb5207bc35a4fdeee0d7314d708aeaba89adbbf0d", "type": "eql", - "version": 20 + "version": 21 }, "17b3fcd1-90fb-4f5d-858c-dc1d998fa368": { "rule_name": "Initramfs Extraction via CPIO", "sha256": "87ea53b4b70ebf750914ab208825d5c3c7161366d9b24c6267fb095279b01da7", "type": "eql", - "version": 6 + "version": 7 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "11eedb38f0535b593e7587c7ae9c0c9b1f11713712345cb14aa032c4251e687b", "type": "eql", - "version": 218 + "version": 219 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "9.4", @@ -1385,25 +1385,25 @@ "rule_name": "Unusual Network Destination Domain Name", "sha256": "65a861fcdfcd0c2366b569e4e3c8e7a599512fa2331ece1fb23f58ed93ff1b85", "type": "machine_learning", - "version": 209 + "version": 210 }, "181f6b23-3799-445e-9589-0018328a9e46": { "rule_name": "Script Execution via Microsoft HTML Application", "sha256": "f5b07367a229e2cc48754deee2bffbec577230719548e1c91cb73bd36b064536", "type": "eql", - "version": 210 + "version": 211 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", "sha256": "b5bfa9c5bdbb2ac76c679d8e7c12aa4614561e8f0815a77d48fccf5feedd3a89", "type": "eql", - "version": 7 + "version": 8 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", "sha256": "acbdc60b1dddabc74eeaf2f73f1a26c51ced274c1226442b720a366f7bf37d2e", "type": "query", - "version": 109 + "version": 110 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -1415,7 +1415,7 @@ "rule_name": "AWS Secrets Manager Rapid Secrets Retrieval", "sha256": "800ebd4d1ef253c688e649cd84fca4d2da5b8896f3537ecaa252855132cd0cc6", "type": "threshold", - "version": 8 + "version": 9 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "min_stack_version": "9.4", @@ -1431,43 +1431,43 @@ "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "12ba54701c9c9a48fe730d815cf85aa3e3e17eb721b01045f3015cf5f197813b", "type": "machine_learning", - "version": 109 + "version": 110 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", "sha256": "718358b1e1c35b97028b4230acd16b8d1f36c355982f8acbeef3d773809c1f86", "type": "eql", - "version": 12 + "version": 13 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", "sha256": "6e73ca10f3e881fa538c71a4fa49fa6d7dd2022afd6c94c19a3c9c2bc3a24e01", "type": "eql", - "version": 10 + "version": 11 }, "1955e925-6679-4535-9c1b-28ebf369f35f": { "rule_name": "Suspicious File Creation via Pkg Install Script", "sha256": "bf39e06d8e8bcb3450813ab5d58f0a03c28e5cf9893bdc6abcfef843e67f134b", "type": "eql", - "version": 2 + "version": 3 }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", "sha256": "2e671c13c33cb02522db10a2ec30e4b58a107647589f9ff89a5f1b1259a43cb2", "type": "new_terms", - "version": 6 + "version": 7 }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests", - "sha256": "34009951e545cd9d705e6cac58d2af9dba570cc5dcec0e69c192d165f28be6d3", + "sha256": "6424aa369601d574151cb5a03827f6b7d7ea6d5cda6f6daec0ce91e4cc068499", "type": "esql", - "version": 10 + "version": 11 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", "sha256": "b836fac20b0940bfc3175c371b5a9a9693cc738c58e02cce56b41be1d943bddb", "type": "machine_learning", - "version": 212 + "version": 213 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "min_stack_version": "9.4", @@ -1483,19 +1483,19 @@ "rule_name": "Spike in Number of Processes in an RDP Session", "sha256": "fe983ed864521ad6cf3fe4e5be5ab60aef58b86a53412d26c0425b6eb0d442b4", "type": "machine_learning", - "version": 109 + "version": 110 }, "19f3674c-f4a1-43bb-a89c-e4c6212275e0": { "rule_name": "GitHub Exfiltration via High Number of Repository Clones by User", "sha256": "d44f81cce81f9989e3da9c9690ce5f15e1d0f708db04fecc4fc46560c28e35ba", "type": "esql", - "version": 4 + "version": 5 }, "1a1046f4-9257-11f0-9a42-f661ea17fbce": { "rule_name": "Azure RBAC Built-In Administrator Roles Assigned", "sha256": "096328c92f192c547fa70269c2a8869a2b41ea46972ff0b85f91c484b81defcc", "type": "query", - "version": 3 + "version": 4 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "9.3", @@ -1511,13 +1511,13 @@ "rule_name": "Suspicious Network Tool Launch Detected via Defend for Containers", "sha256": "52c8bf4b88a390a02c576926ab93066b84724ffbf8a8f2adfc8bfa9edf30f233", "type": "eql", - "version": 105 + "version": 106 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Entra ID Application Credential Modified", "sha256": "d9a189bab2df94b4b6cd30d792e7891b84d4684c3d1f1b94e30aeb8769e60c62", "type": "query", - "version": 109 + "version": 110 }, "1a3d5b36-b995-4ace-9b85-8a0af429ccf6": { "rule_name": "Newly Observed High Severity Detection Alert", @@ -1529,61 +1529,61 @@ "rule_name": "Potential System Tampering via File Modification", "sha256": "40e16656b62a8f8b4a050a24a81a5222c3b71244c7e747902e7899933102755a", "type": "eql", - "version": 5 + "version": 6 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", "sha256": "7aff4b19617d22e58a7bba7919b719dbbec4df85308564a1cd3fee9363798ae2", "type": "eql", - "version": 320 + "version": 321 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", "sha256": "a3d4e1675ec84b3af9163b6a3759711bce84c07ff080a118e7208d181665df7c", "type": "query", - "version": 215 + "version": 216 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", "sha256": "12119420da1871b99202f57ec10904ffc1deee90adab67e4719a1a7207bbc500", "type": "eql", - "version": 317 + "version": 318 }, "1ac027c2-8c60-4715-af73-927b9c219e20": { "rule_name": "Windows Server Update Service Spawning Suspicious Processes", "sha256": "68657a78537ab31a02e6e7bdf3c1c16c01ab15359ecf055b790816e887efceca", "type": "eql", - "version": 4 + "version": 5 }, "1aefed68-eecd-47cc-9044-4a394b60061d": { "rule_name": "React2Shell Network Security Alert", "sha256": "0bb3f9c7167e6586c90cc2a0d5c56d1239b7e0eccdfbdb6d4fb9e18757d982fe", "type": "query", - "version": 2 + "version": 3 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", "sha256": "2f7562c182467d14f7652d3abb6608ddb866a662c35c85f285c8fd5b91f6f892", "type": "eql", - "version": 7 + "version": 8 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", "sha256": "a0a40875e83b365491356586b13f47638211dbab5eb725cd74e481088f4abf31", "type": "eql", - "version": 212 + "version": 213 }, "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": { "rule_name": "Remote Management Access Launch After MSI Install", "sha256": "54c52e1583a70f0e58886c3834476d8a301420a103cebf085744e0b227eabe61", "type": "eql", - "version": 4 + "version": 5 }, "1b65429e-bd92-44c0-aff8-e8065869d860": { "rule_name": "BPF Program Tampering via bpftool", "sha256": "81a039d10521f44f4281d8544ffd0b16a9b3063f8ee87612d04ff43a2da6151a", "type": "eql", - "version": 2 + "version": 3 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted", @@ -1601,25 +1601,25 @@ "rule_name": "Potential Internal Linux SSH Brute Force Detected", "sha256": "03f4a222aafafea3d3221e0582ccac9b11bbc82101504c84c7694b8ef873cda9", "type": "eql", - "version": 16 + "version": 17 }, "1c28becc-ec0b-4e6d-81a5-899d00348089": { "rule_name": "Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket", "sha256": "b9af69ebbbeff32bb2101e0acdf8c98dc60ca99cddc9b2ecbb16b47c394956d6", "type": "eql", - "version": 1 + "version": 2 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "rule_name": "Potential Process Injection from Malicious Document", "sha256": "ce6e5c0d567af464050071029e7ca367ab9b070855f566cda0626a678b8c95ef", "type": "eql", - "version": 4 + "version": 5 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Entra ID Illicit Consent Grant via Registered Application", "sha256": "fb04e2d9695cf1eb8eef84bae6c748979d9703934f64e06743e28b55e5168f56", "type": "esql", - "version": 220 + "version": 221 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", @@ -1631,86 +1631,86 @@ "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created", "sha256": "872670a07996ff3b1b618f205a314336501baae58b58b0b9eb4df5a182cbe3aa", "type": "query", - "version": 109 + "version": 110 }, "1ca62f14-4787-4913-b7af-df11745a49da": { "rule_name": "New GitHub App Installed", "sha256": "98cd8a087a11aa53e292618c8047442532a33dc329c2c7c7e264ad92008f574b", "type": "eql", - "version": 209 + "version": 210 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "2d10043a1aa6786aef98747241a102b2e31aae347ae8a451f5e468c9d52f7e35", "type": "eql", - "version": 214 + "version": 215 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "b205ced242cd1aea02d4b083ded2c9a8d7e55a6d6b9c2a0e4a62f113c2d1d709", "type": "new_terms", - "version": 213 + "version": 214 }, "1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": { "rule_name": "Entra ID Domain Federation Configuration Change", "sha256": "ad37538a2c191bb69fef32ecee94047d48237b5f045c30faa5d3cbba14fe1aec", "type": "query", - "version": 3 + "version": 4 }, "1d0027d4-6717-4a37-bad8-531d8e9fe53f": { "rule_name": "Potential Hex Payload Execution via Command-Line", "sha256": "73886707ccad198484d4c6cdde082d9ef78aea65c349fa08ea0430836e23f673", "type": "eql", - "version": 5 + "version": 6 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", "sha256": "e9575c364fc387c6707b5d37b4870192b76de5fab2e194b70bc4691ef96b498f", "type": "eql", - "version": 216 + "version": 217 }, "1d306bf0-7bcf-4acd-83fd-042f5711acc9": { "rule_name": "Initial Access via File Upload Followed by GET Request", "sha256": "2b398592c31c97af1985d6702aea4c8065619b220445521d5b75a1a48b3c1a47", "type": "eql", - "version": 3 + "version": 4 }, "1d485649-c486-4f1d-a99c-8d64795795ad": { "rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt", "sha256": "2756232f98fabdff059cfa55dc552f04e2c8c7042455b61eade3819dde3b4b3d", "type": "eql", - "version": 3 + "version": 4 }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", "sha256": "92e8e6bf07d93b94bbeb7d1af6d2bd2f62f69c4dd3bedc34becebc0961db80c8", "type": "query", - "version": 9 + "version": 10 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "8d05c32f44d67de63080ae2a1b59170a1394351c67170174791519ff480c2348", "type": "eql", - "version": 110 + "version": 111 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "398b3d88b1753b2d476720085736b2bdfe86fb195e47981a3e582f66397ced53", "type": "query", - "version": 114 + "version": 115 }, "1dc56174-5d02-4ca4-af92-e391f096fb21": { "min_stack_version": "9.3", "rule_name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers", "sha256": "de7edeb410f5b8a1e8dbb092cbe4d087a133a7ba1c66545920a487874a383294", "type": "eql", - "version": 2 + "version": 3 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "280c95cf73f0b4d05908dee4ef63654696f4b55a5040e86f1f69d1455aab9cd4", "type": "eql", - "version": 318 + "version": 319 }, "1dd99dbf-b98d-4956-876b-f13bc0ce017f": { "rule_name": "Alerts From Multiple Integrations by User Name", @@ -1722,7 +1722,7 @@ "rule_name": "Suspicious Inter-Process Communication via Outlook", "sha256": "bdf02d8405b38f96f1a6314cda5e1200914160197006090f7af12146810ca2cb", "type": "eql", - "version": 12 + "version": 13 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader", @@ -1734,37 +1734,37 @@ "rule_name": "Potential Linux Hack Tool Launched", "sha256": "d77702d18de0a8d0365973764069a898ec115292a1894c24062e7aed54979fd4", "type": "eql", - "version": 109 + "version": 110 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "rule_name": "Deprecated - PowerShell Script with Discovery Capabilities", "sha256": "ad1bd87d23f66d5a3239115816acbcf857fffb8361fd598d3abda318487378fa", "type": "query", - "version": 215 + "version": 216 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", "sha256": "a36ca67a74f87b67b969d3970684fafaf17f731179188925f02cc6e2db6c3dd7", "type": "query", - "version": 107 + "version": 108 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "rule_name": "Creation of a DNS-Named Record", "sha256": "f122d418e9dafbe14b2ca383cd8a6184aaa9aaaca6d46160e742e081b941bc9b", "type": "eql", - "version": 109 + "version": 110 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "rule_name": "Creation of SettingContent-ms Files", "sha256": "2f32979d0c4c70576ae719941f88e9b734de6ca0b68d8cbca27176d73ca4769d", "type": "eql", - "version": 109 + "version": 110 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "b6df387d7eea51849c454c9111255872e0f17716467e7f7dcb96324b0a100070", "type": "new_terms", - "version": 208 + "version": 209 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "min_stack_version": "9.4", @@ -1780,7 +1780,7 @@ "rule_name": "Unusual Sudo Activity", "sha256": "c191e024e62f5ec95b39f7a502aecbea41301bd8a555cbe351ce2d88a3dc354d", "type": "machine_learning", - "version": 207 + "version": 208 }, "1eb74889-18c5-4f78-8010-d8aceb7a9ef4": { "min_stack_version": "9.4", @@ -1796,37 +1796,43 @@ "rule_name": "Spike in Azure Activity Logs Failed Messages", "sha256": "b55cf9442601c13334ddbdf9f1c6553c1ee36c6be64b33cc9c2d312f36a43c55", "type": "machine_learning", - "version": 101 + "version": 102 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "5f229ee4fa489867da43771533ebd54f07045dbf3c671e4edec7850f6e2ff04d", "type": "query", - "version": 118 + "version": 119 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "rule_name": "AWS Sign-In Console Login with Federated User", "sha256": "55d45ab5f5631b527067817a7d2c2d4fd25f4b7740b19d7ed6684b84c9d198b6", "type": "query", - "version": 7 + "version": 8 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "6ef4ba72caea4308333e21e9748b0103bd5465ca8e8de00cb44982b38ddc73a8", "type": "eql", - "version": 108 + "version": 109 + }, + "1f489c86-d9c4-40de-9316-931721ca9b45": { + "rule_name": "Google Workspace User Login with Unusual ASN", + "sha256": "36d9ddf894c154d8b06736a4546c607e5e6506501cef0fa285bd4715adf0e2d6", + "type": "new_terms", + "version": 1 }, "1f56f548-94ec-4678-b1ed-b1a14cca4e3a": { "rule_name": "File Creation in World-Writable Directory by Unusual Process", "sha256": "4df9615b0c5bc14b8ab9c22dfd3b551e165497764f49c76f47131b8c18126ad8", "type": "new_terms", - "version": 2 + "version": 3 }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { "rule_name": "High Number of Egress Network Connections from Unusual Executable", - "sha256": "b7c5e8e2683c1a9405ab334ea64b6abd11051146461d97a00a006a8a114ac5e3", + "sha256": "eafeb83b8040dee8fe09ca03a41822ab04b2e697435ea84a3ccaceb964e96175", "type": "esql", - "version": 12 + "version": 14 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "9.4", @@ -1842,13 +1848,13 @@ "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "1a0a985a78e282cb73680c64ef0fd7dd1b06b6888ac9aa29908324720ffd8a52", "type": "machine_learning", - "version": 207 + "version": 208 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "ce63eff5ee6329ed0d754e18e681e094db4edd4554e6c5857c4a7e4eec55a7f3", "type": "eql", - "version": 220 + "version": 221 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", @@ -1860,43 +1866,43 @@ "rule_name": "Suspicious .NET Code Compilation", "sha256": "718eb4049a2a7d326275953bcb81b6108f6af2f80cf5681605b01c2156773965", "type": "eql", - "version": 319 + "version": 320 }, "202829f6-0271-4e88-b882-11a655c590d4": { "rule_name": "Executable Masquerading as Kernel Process", "sha256": "b71bdcfb747a7c25b0a7ecef37b73f89cfd4936ff7b67f399a7d47694f1c4992", "type": "eql", - "version": 109 + "version": 110 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", "sha256": "da1e0288bfbf5cf9a5a637c2ff71e7b786124de06dafdd88afc745cf802cfbec", "type": "eql", - "version": 317 + "version": 318 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "00192d120763a8e01464c5ce0165c7c8c09fd5dc69b8913668ae9889fe86e6ce", "type": "query", - "version": 212 + "version": 213 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Suspicious Web Browser Sensitive File Access", "sha256": "e46abdd536b397307dd73b4a20f4296b0141a10a86a9c252ecc461420fea502d", "type": "eql", - "version": 214 + "version": 215 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "acfa894d6162e141d87059ad8f6bf9ab526faf4bb7d294c1c9559d4a696d8c5a", "type": "eql", - "version": 209 + "version": 210 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", "sha256": "71c7f2709ba57af9d034b02dfddd8ffad88a6ce54561ccb2e9a6249e403f045f", "type": "new_terms", - "version": 218 + "version": 219 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -1908,74 +1914,74 @@ "rule_name": "Mofcomp Activity", "sha256": "c0049f673475e17a60c9243c445c9cc0740541dd02cedb0ad8ad2af6aa0ec463", "type": "eql", - "version": 11 + "version": 12 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "AWS SNS Topic Message Publish by Rare User", "sha256": "3e08ddf0b5b1afd3391ad3417aeab29ba5b82004dfea27700df13240aa6f2c1e", "type": "new_terms", - "version": 6 + "version": 7 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", "sha256": "ffbef35f2979f9b0815d176123110cf20185f13031b14a773f5d555d5a5f67ef", "type": "eql", - "version": 9 + "version": 10 }, "214d4e03-90b0-4813-9ab6-672b47158590": { "rule_name": "New GitHub Personal Access Token (PAT) Added", "sha256": "59d60ae7f69e0ad09fed8b4f0d81aa233cb1aa5f95a2c4dbc67893e48c9c6a68", "type": "eql", - "version": 3 + "version": 4 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "sha256": "8b75d9e37c1f4a0c2bf887e72a428e276adafb073c14a72aa32d6df0f17e18d9", "type": "new_terms", - "version": 11 + "version": 12 }, "21c3536f-b674-43db-9bfc-dcf4cf9dcc37": { "rule_name": "GitHub Secret Scanning Disabled", "sha256": "aff570e0cf948f93e3441a9f2e00aef71fc0bf2aa0b96863c7c05b6589ebb7d6", "type": "eql", - "version": 2 + "version": 3 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "2e948782f65666ac3d10796a6baf18110e533c7911ec87b4302958666ded5115", "type": "eql", - "version": 113 + "version": 114 }, "220d92c6-479d-4a49-9cc0-3a29756dad0c": { "rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy", "sha256": "b8ea3be7fe37d1a71bbceeadb9717e70b488e7256446ad679f347b464e34524c", "type": "esql", - "version": 2 + "version": 3 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Activity", "sha256": "09ce90780ee8c5b0abb47761859ddd4909e777651474a0de5937379b4fe1de9d", "type": "new_terms", - "version": 210 + "version": 211 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "Deprecated - SUNBURST Command and Control Activity", "sha256": "e436ded1c2bcdb723f2a841740b8072959feceb4095c0086697c55e444763575", "type": "eql", - "version": 112 + "version": 113 }, "227cf26a-88d1-4bcb-bf4c-925e5875abcf": { "min_stack_version": "9.3", "rule_name": "Encoded Payload Detected via Defend for Containers", "sha256": "c22125aa8d5fbba0e2e7ab1379a82385d8164c305089fc053ca1bf31ed58b2e0", "type": "eql", - "version": 3 + "version": 4 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "94bf56921f7182099d52dfb0db8b4469fc67827685348c0e306268756187ba80", "type": "query", - "version": 214 + "version": 215 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", @@ -1987,13 +1993,13 @@ "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "86d21d741eff46da2d15b7f31b033ed32ecda99a9f660857b2f751ee059c149f", "type": "query", - "version": 109 + "version": 110 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "rule_name": "Kernel Module Load via Built-in Utility", "sha256": "a06f1985bb2ac22749c86a7b54bbc101a924941d49abfa208f890b470ad6323d", "type": "eql", - "version": 216 + "version": 217 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -2015,43 +2021,43 @@ "rule_name": "Potential Kubectl Masquerading via Unexpected Process", "sha256": "6e24466e654e56308b329e2e506d4a36f3cb93890c9cc863c6f54618cdb177da", "type": "eql", - "version": 104 + "version": 105 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", "sha256": "082bad18b8416bb5ccd1d0cfce8b0e590878f8eda05813006131e35463194383", "type": "new_terms", - "version": 8 + "version": 9 }, "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf": { "rule_name": "Potential SAP NetWeaver Exploitation", "sha256": "9592413691f94b0e392e5b6b6d96b45087aef7dcc204902cbee6f54c88ca0e31", "type": "eql", - "version": 2 + "version": 3 }, "23cd4ba2-344e-41bf-bcda-655bea43fdbc": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "bad7dfbcf30e7a80ff8bf2b11b59f66510afc25bcebc9113d7ba02700a792c86", "type": "eql", - "version": 4 + "version": 5 }, "23e5407a-b696-4433-9297-087645f2726c": { "rule_name": "Potential NTLM Relay Attack against a Computer Account", "sha256": "f0d7a8f00c28cdc603cdf2f3a222453dc87d3c585871a04289e06d7d65e12363", "type": "eql", - "version": 2 + "version": 3 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "rule_name": "Potential Okta Brute Force (Device Token Rotation)", "sha256": "1dca7f7a9f133b30aeaaf0bcefe7bfa30c7c6d26fa4a0ac58e4bf6ab5ca714f6", "type": "esql", - "version": 212 + "version": 213 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", "sha256": "33174dde2dcb90f51dc8b556bf7b9e4042559084fa221d4dc8f0b0d6bda99a8d", "type": "eql", - "version": 211 + "version": 212 }, "2449be9d-2fdf-4126-a85b-f05e4058df9f": { "rule_name": "Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)", @@ -2063,32 +2069,32 @@ "rule_name": "Lateral Movement via Startup Folder", "sha256": "0ea2de447f9849a74fe836db1209085c0b5799003f2cae237af3197ac11c27e4", "type": "eql", - "version": 315 + "version": 316 }, "25368123-b7b8-4344-9fd4-df28051b4c6e": { "rule_name": "First Time Python Created a LaunchAgent or LaunchDaemon", "sha256": "fe6a9526f2f3cde09ceb6ad2abb75b5c041b596c4c3efb072057e5d8d206557b", "type": "new_terms", - "version": 3 + "version": 4 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "0199eb265ce99c7a9f188d9ffa0b0d930dc5da0e8125dce7773e6f4c681d9ad0", "type": "query", - "version": 110 + "version": 111 }, "2572f7e0-7647-4c68-a42b-d3b1973deaae": { "min_stack_version": "9.3", "rule_name": "Potential Kubeletctl Execution Detected via Defend for Containers", "sha256": "acc31532978654732c3792974aca8d114b5fcbc3b1a2bb12c476fbb78d110c67", "type": "eql", - "version": 3 + "version": 4 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "rule_name": "Potential Reverse Shell via Background Process", "sha256": "d6a2ecf476cd2454fdbff39ec56abf5546147359689e2d4c4d2b1b13eec7d813", "type": "eql", - "version": 110 + "version": 111 }, "25a4207c-5c05-4680-904c-6e3411b275fa": { "rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree", @@ -2100,110 +2106,110 @@ "rule_name": "Network Activity Detected via Kworker", "sha256": "6f4eff66f0c65aba4c175641ec53bd362c571ddcc98a36f91f1357b1e7f21817", "type": "new_terms", - "version": 10 + "version": 11 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", "sha256": "a4325d7530e0e1c4d8606448e0fda6086c035e0c00e8a6941f16716a7b0c4be9", "type": "query", - "version": 7 + "version": 8 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "rule_name": "New Okta Authentication Behavior Detected", "sha256": "b4310f1d499651a51101aa441f2d2dbfa9526781e8c3572a6f390ee7b104c96e", "type": "query", - "version": 211 + "version": 212 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", "sha256": "847b0b60963ff676ec04a3851fcf67da0046389d6b3d572ab197169471c02e4c", "type": "eql", - "version": 11 + "version": 12 }, "263481c8-1e9b-492e-912d-d1760707f810": { "rule_name": "Potential Computer Account NTLM Relay Activity", "sha256": "c6466b3359e6b53e8f7baa6dc0c0a8268893292d2e8c70cf97aaf503f935e4f2", "type": "eql", - "version": 110 + "version": 111 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Storage Container Access Level Modified", "sha256": "17ad4439d8cff6eb09caa234542cd8b06c1f9431660b61500250cfac88379a95", "type": "query", - "version": 108 + "version": 109 }, "264c641e-c202-11ef-993e-f661ea17fbce": { "rule_name": "AWS EC2 Deprecated AMI Discovery", "sha256": "8e6edb115aadbbe0288142ede56a886b171f90f427e56805c3b403b92787d9b0", "type": "query", - "version": 8 + "version": 9 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "f6c4dc44ea09e4d0007ef1b75b2883cdc9f543888b98fd1e58d6ab7ec7e90a34", "type": "eql", - "version": 319 + "version": 320 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "rule_name": "Unusual High Denied Topic Blocks Detected", - "sha256": "eb93685370370e45763a4c643fb482b438ac57fbe5bb1cae4f02da532dec3ddc", + "sha256": "2d8380692f5a4979d5ce42e2f909839300184905903c947860d8bd68208fd2a0", "type": "esql", - "version": 5 + "version": 7 }, "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", "sha256": "fa8068ba6208f9c013cda667f737b51fae6f5b52b978165e1b76c35f0acd0ee1", "type": "new_terms", - "version": 6 + "version": 7 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", "sha256": "8c951a0906470270b43bc3293a9d807368a4febdfe1c96dcf7585c87d42f40b0", "type": "eql", - "version": 106 + "version": 107 }, "26a989d2-010e-4dae-b46b-689d03cc22b3": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request Detected via Defend for Containers", "sha256": "83c6cdeb9a06541ccba897ff5fded24c63515255d7a617a83ba2b1150425e39a", "type": "eql", - "version": 2 + "version": 3 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", "sha256": "2a8b22e7d63527d904ab15bd93ab301fbe45ba09b99e427ca34ebe89d9d1d15c", "type": "eql", - "version": 12 + "version": 13 }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Entra ID High Risk User Sign-in Heuristic", "sha256": "f2967ce4210d92868dcbb7f81ec19ec93006bdf594453cbf93086d8fb02edd22", "type": "query", - "version": 110 + "version": 111 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "M365 Identity User Brute Force Attempted", "sha256": "ebb4f079a3090c488a142f1c993638ab122995c8ec1213052b508848e1fc433d", "type": "esql", - "version": 418 + "version": 419 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e528a3c860f8f8de6eb7bceeebeefd1cf6ab283b09db3f9bc9ece6beb6fa532a", "type": "query", - "version": 213 + "version": 214 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "rule_name": "Attempt to Clear Kernel Ring Buffer", "sha256": "cc0c2851cb9e2e1facc925729c2f7cca24af0ac04d12a8ebdbe16870cdb540a3", "type": "eql", - "version": 110 + "version": 111 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "M365 Exchange Mail Flow Transport Rule Modified", "sha256": "58f1574c18c76838ab7233c8367023b61bc2ee9fe19c6de7f38cfd9a9f760b08", "type": "query", - "version": 213 + "version": 214 }, "27569131-560e-441e-b556-0b9180af3332": { "min_stack_version": "9.4", @@ -2219,62 +2225,62 @@ "rule_name": "Unusual Privilege Type assigned to a User", "sha256": "07ea6892290d7a3ab379ca9ae743312e7ac639accd3a42b44ef6d882debc7788", "type": "machine_learning", - "version": 104 + "version": 105 }, "275b972d-2fed-44fc-9214-08603b3318e3": { "rule_name": "M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)", "sha256": "1cb9831d107472766f76dbe7ca4eee784b4004fa2ba6f977d2475b01da030a77", "type": "query", - "version": 1 + "version": 2 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "c46e02d9df71ee1e22ed5ac8f5ba1d5afab07283bd6ea70286a84474f4017c06", "type": "eql", - "version": 215 + "version": 216 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", "sha256": "bb286cf8785e506f2b849cf456c03c150eef1646b3cba7375baf550e2adbbe61", "type": "query", - "version": 109 + "version": 110 }, "279e272a-91d9-4780-878c-bfcac76e6e31": { "min_stack_version": "9.3", "rule_name": "Suspicious Process Execution Detected via Defend for Containers", "sha256": "f59668d5789c20ac3063485cf2e2475dee1cca5257adcd26dd6792bd6a9611aa", "type": "eql", - "version": 3 + "version": 4 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Deprecated - M365 Teams External Access Enabled", "sha256": "bc0c0b0a6a0f4f1cdef846be5717cc774ae8cfcf0c777765f28656c16ed58484", "type": "query", - "version": 214 + "version": 215 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", "sha256": "7b6619e4799f5c51aac53ea894d15478f84f6ed434bf2f15f94fdf0570761aa1", "type": "eql", - "version": 222 + "version": 223 }, "283683eb-f2ce-40a5-be16-fa931cb5f504": { "rule_name": "Newly Observed Palo Alto Network Alert", "sha256": "6950c8ed18d7697993f1a1159f6bc0a7eb141aaff4f0243575894da36997a1b8", "type": "esql", - "version": 3 + "version": 4 }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", - "sha256": "b8cf9700d169c0901439e2d0562728548640e7e876af9ac5968766217cb1f804", + "sha256": "ce81951ab3d4a4fdf53ec1d89559c7146d3adb5b6d73f7e417446e8307628be9", "type": "esql", - "version": 6 + "version": 7 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "27990b18c9a88be12901538e00f7518df2e6955d7e6825b3e6c043688e68414d", "type": "eql", - "version": 216 + "version": 217 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", @@ -2298,67 +2304,67 @@ "rule_name": "AWS STS Role Assumption by User", "sha256": "7dc5f160fa3c93691ca733218c01f5481e0fe164bd1f9b1f0beb35a7763ec43d", "type": "new_terms", - "version": 9 + "version": 10 }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", "sha256": "40709b37a372f451eb19142e62244babb6f19d932ff23febe70379c94e8fd0e6", "type": "eql", - "version": 7 + "version": 8 }, "28d39238-0c01-420a-b77a-24e5a7378663": { "rule_name": "Sudo Command Enumeration Detected", "sha256": "08cd9c8ade957eb4b22e7e97107ab12ebabd91467a861afb99e3b6a377becb68", "type": "eql", - "version": 111 + "version": 112 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "rule_name": "Privilege Escalation via SUID/SGID", "sha256": "46f7be3e59656893dfb3bcec2a1f30e7e118a703b4c52bfa1c61fee7207354ef", "type": "eql", - "version": 112 + "version": 113 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation", "sha256": "c58523c3504b477306897ad712fc266a3409aef8c601706b879c32f1efb654b3", "type": "eql", - "version": 11 + "version": 12 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", "sha256": "a2e0780759a02c4f019ded2450fbab0521f281a7495b1d6381ce9a065acc3db6", "type": "query", - "version": 214 + "version": 215 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "fbac4cf97fd5011fda908f1d0adbb902d2728ecf40da761102b508c43548ccd5", "type": "eql", - "version": 323 + "version": 324 }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "bc5e8ceab279abfed41e634d0a0a4597dfc4c45c9963a0bdec070875fe0f1010", "type": "new_terms", - "version": 424 + "version": 425 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4cacb8f8a73738c053cb1f103e94a0cc342a31b5e595c2d0c90538fa08e8238b", "type": "new_terms", - "version": 421 + "version": 422 }, "29531d20-0e80-41d4-9ec6-d6b58e4a475c": { "rule_name": "Alerts in Different ATT&CK Tactics by Host", - "sha256": "c5405c7e3f88cfc2000c94b4c7b8d38c9d2a26b546e452f9ed097e0da1aaa240", + "sha256": "68c808fa2cb139fbf87fada5fe4b7c7f653dc3727a5799983ac5f5a819e14d60", "type": "esql", - "version": 5 + "version": 6 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "bb3f43e51cf57903cac31eea9b1da4e3c0c5398f11a673b5e3fd5770b25477f4", "type": "query", - "version": 210 + "version": 211 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2370,37 +2376,37 @@ "rule_name": "Linux SSH X11 Forwarding", "sha256": "e4c869cb3edc72947fd52af59a07d158d9df906cfd5b80d6dcca840734074fe7", "type": "eql", - "version": 109 + "version": 110 }, "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft Graph Request User Impersonation by Unusual Client", "sha256": "c79bf8bb0d94aaff02709efc88bdd456c06752b9e7d41a5a34bd1eeb99eed3f1", "type": "new_terms", - "version": 8 + "version": 9 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", "sha256": "bb5d868d2632e7b5a662737cfdddf49f0aa78a0d0dda0cad6b4104330cad37ec", "type": "eql", - "version": 13 + "version": 14 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod Created with a Sensitive hostPath Volume", "sha256": "dffee6f1f33580e6cf14dd782f8158c3b7c55b5f30b1db84f04f44d575386b26", "type": "query", - "version": 210 + "version": 211 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "rule_name": "ESXI Discovery via Grep", "sha256": "37999a3afa79aa321127ff14e5839d96e719daa04d68b38cc7f79924c59a8982", "type": "eql", - "version": 113 + "version": 114 }, "2b9a3b7a-0891-4a89-abbe-dca753c403cd": { "rule_name": "Multi-Cloud CLI Token and Credential Access Commands", "sha256": "61952dce699974e95e7f7709554d81d3e2ab7e7bee7a9126f8a648e53b3da84f", "type": "esql", - "version": 1 + "version": 2 }, "2bca4fcd-5228-4472-9071-148903a31057": { "min_stack_version": "9.4", @@ -2416,67 +2422,67 @@ "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", "sha256": "b87efefef846486cad6bc17aa7c220a3833b848d4ca87f09c1f5defda9cb428d", "type": "machine_learning", - "version": 104 + "version": 105 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Deprecated - Adobe Hijack Persistence", "sha256": "d554c3a9b2cbb27ce03d73fe4c984d648404006ad784e24039acee69e3f2b78f", "type": "eql", - "version": 421 + "version": 422 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "a0709d688ae05f8fc435bd8ca93dda11365bc4a4a944b23ff637780dac62b701", "type": "eql", - "version": 319 + "version": 320 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "8d94d7fb85ae6118469b64123048223e518e64558377b9e2e140fdf98ece2a16", "type": "eql", - "version": 218 + "version": 219 }, "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": { "rule_name": "Newly Observed FortiGate Alert", "sha256": "a03c57f295928b0d76701bfde0f0f24c71f4f0468545519ef16b580061b27cff", "type": "esql", - "version": 3 + "version": 4 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "rule_name": "Potential Foxmail Exploitation", "sha256": "d9b063def75ef74f0205dc26441ae826e4c9cc34b2a6b8634df702cad8b562e1", "type": "eql", - "version": 209 + "version": 210 }, "2c74e26b-dfe3-4644-b62b-d0482f124210": { "rule_name": "Delegated Managed Service Account Modification by an Unusual User", "sha256": "79e8c76a9e9e5c426263821942e3d2ee0a1173e81bbba8aff836e9bd453654cc", "type": "new_terms", - "version": 4 + "version": 5 }, "2d05fefd-40ba-43ae-af0c-3c25e86b54f1": { "rule_name": "BPF Program or Map Load via bpftool", "sha256": "b89854776ad866f757ee1469315dad87cb628a427e71fe40f741a0aaf4c53d5e", "type": "eql", - "version": 2 + "version": 3 }, "2d3c27d5-d133-4152-8102-8d051619ec4a": { "rule_name": "Potential Okta Password Spray (Multi-Source)", "sha256": "0b3754763f9388a104514203cdb27b710d8d0b5bd654671deb494bdd5568496a", "type": "esql", - "version": 3 + "version": 4 }, "2d58f67c-156e-480a-a6eb-a698fd8197ff": { "rule_name": "Potential Kerberos Relay Attack against a Computer Account", "sha256": "9535ca2df0f4875a40fddd9343363a41368fc737d08a1ae532dccc3fbb98f4ff", "type": "eql", - "version": 3 + "version": 4 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", "sha256": "71c4ced0fea8eaf9a81fbfcf8c97f73a25c05b08abfa5fd1302a51843c64a4fc", "type": "eql", - "version": 211 + "version": 212 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { "min_stack_version": "9.2", @@ -2506,49 +2512,49 @@ "rule_name": "Entra ID Excessive Account Lockouts Detected", "sha256": "f5a1ec4caef511f8190ed9a710be895fecebe6b72f29b03da749e5e4dea0b10b", "type": "threshold", - "version": 306 + "version": 307 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Unusual Kernel Module Enumeration", "sha256": "08ee164b5d1ce75b39808742849277e8261cb5961e4beed4e5b5884da7e12ccd", "type": "new_terms", - "version": 215 + "version": 216 }, "2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected", "sha256": "2038641850ec7f59a724389fa9c574dc5e7afde97a91a20ad4e700087c05d191", "type": "esql", - "version": 3 + "version": 4 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "58b8a1746c1b88f41ce38c583a0eb3520a1689f8a019913516571f21b3c095fa", "type": "eql", - "version": 316 + "version": 317 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "rule_name": "Potential THC Tool Downloaded", "sha256": "2fdf4a036c7f0d6c3aa8e7d60e6415e5dce3b059e32369e04f6f992f75d652cf", "type": "eql", - "version": 109 + "version": 110 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "M365 Identity Unusual SSO Authentication Errors for User", "sha256": "dfbe6f2be34fc93b6ac0c780444a2c505c8154462a23a5c434332da089103385", "type": "new_terms", - "version": 215 + "version": 216 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "0e40b02258f08b8dd3d44d58c4d7ea172b3879f29c4811844a892121c0fed325", "type": "eql", - "version": 217 + "version": 218 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { "rule_name": "Potential File Transfer via Curl for Windows", "sha256": "4d04954b58f65d7b8123c4875c6283eb3f8855e6fdbb706299800c4893aede50", "type": "eql", - "version": 8 + "version": 9 }, "2e08f34c-691c-497e-87de-5d794a1b2a53": { "min_stack_version": "9.4", @@ -2564,31 +2570,31 @@ "rule_name": "Unusual GCP Event for a User", "sha256": "dc4770ad5a8fc4f77f6dc6d6459c0bc5cd738459a7a2d9d13172cce489ef203b", "type": "machine_learning", - "version": 102 + "version": 103 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed Automation Script Interpreter", "sha256": "3412a61dea3f79000826b1ee35082aa9044c9d26e298c59e772d420c3d4fa016", "type": "eql", - "version": 219 + "version": 220 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", "sha256": "1f1201ba99d2842ffbcad3d15b1dcb747040fe2b58cd03c3b0438ef39413824f", "type": "query", - "version": 219 + "version": 220 }, "2e311539-cd88-4a85-a301-04f38795007c": { "rule_name": "Accessing Outlook Data Files", "sha256": "049befdbf6cac7da7b115ab1a497a5d04ad6940c94e04cc89ac097e309c67f89", "type": "eql", - "version": 109 + "version": 110 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "4abe9b19327d050b9a6b99c9ba1b465c25650d2afc82f39672d95f6cf38625d6", + "sha256": "df2a80de2f7d6b43a02835be633a2f088deee19945762258bc20fc1770fc3718", "type": "esql", - "version": 311 + "version": 313 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -2600,7 +2606,7 @@ "rule_name": "Creation of a Hidden Local User Account", "sha256": "64c4671959fc9fd3a93eb924ddb2c5a70a6f113b1602871a7029d7ce573fafbe", "type": "eql", - "version": 317 + "version": 318 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", @@ -2612,31 +2618,31 @@ "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "99ac9ef863cee31dd240561777099c022934a3cf76997d70d1b0f0b1414e32e2", "type": "query", - "version": 217 + "version": 218 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", "sha256": "83c3b8bb65af1b682a4e4e22bda3b0c8c4a7a01490b7e1a9add4b5b211590631", "type": "eql", - "version": 217 + "version": 218 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", "sha256": "f6b06ba2f41bccdff7861549bc087a2e1fae2ef2c4959ad2911665a2c04a9887", "type": "eql", - "version": 8 + "version": 9 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "b9b13ab82fce4582270516eb4103335c297e09ba1fb18b9305104084893f8432", "type": "eql", - "version": 113 + "version": 114 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "20024501f2158ecc1863a29ac71a7d5452d113ceaf3da322ec0b480574f1f462", "type": "eql", - "version": 219 + "version": 220 }, "301571f3-b316-4969-8dd0-7917410030d3": { "rule_name": "Malicious Remote File Creation", @@ -2648,25 +2654,25 @@ "rule_name": "GCP Firewall Rule Creation", "sha256": "b7443e73c34b63ea64aef8d2a73cdda1561793b4fc5ae82d1e23eddb58d45ed8", "type": "query", - "version": 109 + "version": 110 }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", "sha256": "45bc415cfbe47728cd85f5beb1db8210f3b2d2d740e54e02b7f5fc7ef97b9cad", "type": "eql", - "version": 8 + "version": 9 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "rule_name": "ESXI Timestomping using Touch Command", "sha256": "0803b6abb72d53ff4e03e0a82bb6729e4adceebe4e21f5846840b73ad1105a91", "type": "eql", - "version": 112 + "version": 113 }, "30d94e59-e5c7-4828-bc4f-f5809ad1ffe1": { "rule_name": "Suspicious File Made Executable via Chmod Inside A Container", "sha256": "9fc179c299f0a00f746636e748563c34ee24c5ec85c28140a77bf0831f50e7b9", "type": "eql", - "version": 4 + "version": 5 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Deprecated - Network Connection via Sudo Binary", @@ -2678,13 +2684,13 @@ "rule_name": "Windows Script Execution from Archive", "sha256": "67a5e91404e6ae67e3f18a6dcfdac04ab77bc9dc55998558cbd6060067d8b9ab", "type": "eql", - "version": 4 + "version": 5 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", "sha256": "9096aa293720333cac0af019ee0209adf832956537108d1a8d905ba213834be7", "type": "new_terms", - "version": 9 + "version": 10 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID", @@ -2702,43 +2708,43 @@ "rule_name": "M365 Security Compliance Admin Signal", "sha256": "90ffab6d1e834727e5298c1c2a328ad9bf215065fe05525952503f932988d826", "type": "query", - "version": 2 + "version": 3 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", "sha256": "9668e85c8c56efdd809ccb17f4857ac12f4747e89dfd9d6b2f9d01c51a38a846", "type": "eql", - "version": 323 + "version": 324 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "4ad2ee73bd7cdbe3735b30d3a6b59541b724d90a3fd64c19100f94bb7f778ed6", "type": "query", - "version": 109 + "version": 110 }, "32144184-7bfa-4541-9c3f-b65f16d24df9": { "rule_name": "Potential Web Shell ASPX File Creation", "sha256": "620c207c86f94a7f5fa5ac75c072ca7504ecdc374a9a45ffaa54cfafe6ac449a", "type": "eql", - "version": 4 + "version": 5 }, "3216949c-9300-4c53-b57a-221e364c6457": { "rule_name": "Unusual High Word Policy Blocks Detected", - "sha256": "07e7e04210b862e96b27eee443227c6a1fbed5882d062ae1d78886a0a1d0da3e", + "sha256": "ea6f2ae258927c808b9260a4a79009dc6f859468792276d8d246a24a8f0523c2", "type": "esql", - "version": 5 + "version": 7 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "230128099a762e79453143aa42805708865110bb5debd68d2c3c1aa35a550290", "type": "eql", - "version": 9 + "version": 10 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure VNet Network Watcher Deleted", "sha256": "a11689594efe1a3ce6bc4114c4104ae80acfd08c3f4d742549b9ff40fc94afb5", "type": "query", - "version": 109 + "version": 110 }, "3278313c-d6cd-4d49-aa24-644e1da6623c": { "min_stack_version": "9.4", @@ -2754,31 +2760,31 @@ "rule_name": "Spike in Group Application Assignment Change Events", "sha256": "881770a8cf25c413c1ddb170eab543e5879b4573f6dd9fd8a4f758493bbba738", "type": "machine_learning", - "version": 105 + "version": 106 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "2d2ccd5ca54ed008472b8563442cef7bcbcfcca9773cf6cde8664d01bbf84c78", "type": "query", - "version": 110 + "version": 111 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", "sha256": "62c090223fc384970eab9eccabb23b4fe6793807b12491b26d209885275a6838", "type": "eql", - "version": 321 + "version": 322 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Atypical Region", "sha256": "bb2c0bbdce32e798e3e71ac54587b14911474b0bab1aba3c31fdff2cd236c318", "type": "new_terms", - "version": 11 + "version": 12 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", "sha256": "2b1d36af98d52e7c651c30532ec344b2145caeebab5862029eebf1639017c1e6", "type": "eql", - "version": 422 + "version": 423 }, "32f95776-6498-4f3c-a90c-d4f6083e3901": { "min_stack_version": "9.2", @@ -2794,13 +2800,13 @@ "rule_name": "Potential Masquerading as Svchost", "sha256": "0ae3b4874845b5b362efeaabd67d839e505a3c44968966093c21c4555b3d02d5", "type": "esql", - "version": 104 + "version": 105 }, "3302835b-0049-4004-a325-660b1fba1f67": { "rule_name": "Directory Creation in /bin directory", "sha256": "ced597d9501b078532ec2d68b3248faa95d307cc6fe32bbf812094b1072877b2", "type": "eql", - "version": 107 + "version": 108 }, "332ecb5b-08b6-47e9-885b-3cee1de74bac": { "rule_name": "Kubernetes API Server Proxying Request to Kubelet", @@ -2812,38 +2818,38 @@ "rule_name": "AWS IAM User Addition to Group", "sha256": "8740915ad9d3542a4b6dad50ca626d2efd14c8e2fa9e2dde5944d3f5fa80fa3e", "type": "query", - "version": 215 + "version": 216 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "rule_name": "ESXI Discovery via Find", "sha256": "a71d83b3ee92c09090ce8fd23ebd63f59231a2edccb9bd6886660caebecd03aa", "type": "eql", - "version": 113 + "version": 114 }, "33c27b4e-8ec6-406f-b8e5-345dc024aa97": { "rule_name": "Kubernetes Events Deleted", "sha256": "18095b5a2473c932c2b35399552cbb87b2b648148c1ffed71425d9c909e8016d", "type": "eql", - "version": 3 + "version": 4 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", "sha256": "ba3fdfb67c7a505e71feb3c1bb53052fa31ed7aeb2b5b9c5f1951cec0c9d3f92", "type": "eql", - "version": 116 + "version": 117 }, "33ff31e9-3872-4944-8394-81dae76c12d9": { "min_stack_version": "9.3", "rule_name": "Potential Cluster Enumeration via jq Detected via Defend for Containers", "sha256": "01dc99277408753626228faea19f9692f74986b27893fa10d56ec72f7f599cba", "type": "eql", - "version": 1 + "version": 2 }, "341c6e18-9ef1-437e-bf18-b513f3ae2130": { "rule_name": "Potential Privilege Escalation via SUID/SGID Proxy Execution", "sha256": "8d52f8c87d55bec0b5f01ab261889d2ac07ff3c6a7eb1cbed03398fb111be726", "type": "eql", - "version": 3 + "version": 4 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "min_stack_version": "9.3", @@ -2859,7 +2865,7 @@ "rule_name": "Dynamic Linker Modification Detected via Defend for Containers", "sha256": "42eccedf47d0083269869acb142a647cebd64cd97a02f2693448c5df83b68fc3", "type": "eql", - "version": 104 + "version": 105 }, "344e6c7d-ceb0-4f20-ba04-7c75569a7e38": { "min_stack_version": "9.3", @@ -2872,31 +2878,31 @@ "rule_name": "GitHub Repository Deleted", "sha256": "9dbead37db4773f09b4ed758283f61fe7e4562772482b18e75416654a8fe2c4c", "type": "eql", - "version": 207 + "version": 208 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", "sha256": "8ab449b25259296b7454c26d1a88b78d5c22b67f6c82f767508ffb494c3f8b15", "type": "new_terms", - "version": 7 + "version": 8 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", "sha256": "98c05891ac1d062019fd7be22d345704b8cce6b75f1ae4ec8d9787e51f40a22b", "type": "query", - "version": 113 + "version": 114 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", "sha256": "a1843f580774fd27510d03b658a031fe4440da62ef0c574ddbe795d7f77b20e2", "type": "eql", - "version": 111 + "version": 112 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", "sha256": "3ced595dce2cd24c4727be69b9fa601479fd2f2f80457f720c694e678a28b875", "type": "eql", - "version": 419 + "version": 420 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "min_stack_version": "9.4", @@ -2912,31 +2918,31 @@ "rule_name": "Spike in Bytes Sent to an External Device", "sha256": "bff333b259468a39c107b211f1ba6331060aa97c23f5486f3654fce8a3dd4361", "type": "machine_learning", - "version": 108 + "version": 109 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "rule_name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)", "sha256": "07c165d99fb8e82989dfd95f7c238c2624bf70169acdf0a73405eb1cb4353b39", "type": "esql", - "version": 111 + "version": 112 }, "35c029c3-090e-4a25-b613-0b8099970fc1": { "rule_name": "File System Debugger Launched Inside a Container", "sha256": "898841494b2ae4193ff42978ce0f1807a55816bb416aadf5c4e073b0fc9b51bc", "type": "eql", - "version": 3 + "version": 4 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", "sha256": "e3d3be616bcb1a086a207ba505b838f699ef299089fdeaab832fca7e48b4df09", "type": "eql", - "version": 322 + "version": 323 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", "sha256": "7f796d399910edf9f262f06a682761ddce112875ea599e8027c80503e3a0f50d", "type": "machine_learning", - "version": 109 + "version": 110 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -2948,25 +2954,25 @@ "rule_name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs", "sha256": "57d3c6aff18828252ee65176a27549f6eee324fd1ce7552e0823c3f487c57852", "type": "esql", - "version": 9 + "version": 10 }, "36755b43-a1f9-4f2c-9b61-6b240dd0e164": { "rule_name": "Executable File Download via Wget", "sha256": "71221bb9da8496eb982f703abdfa41780325a6d81b484361e1c41ae00352f8bf", "type": "eql", - "version": 1 + "version": 2 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", "sha256": "976ac418b90849b5394d30625f9e55b98b84485146dec6f035af51f5458f7378", "type": "eql", - "version": 115 + "version": 116 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", "sha256": "dcdf537347147dc3930fd8c5892863eea0a265f5f89c49b351a4fbab410ef039", "type": "eql", - "version": 315 + "version": 316 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "min_stack_version": "9.4", @@ -2982,25 +2988,25 @@ "rule_name": "High Mean of Process Arguments in an RDP Session", "sha256": "1345a788253e2c63d8198472d6d8d2321ce9775b581b4897330441bc864b31eb", "type": "machine_learning", - "version": 109 + "version": 110 }, "37148ae6-c6ec-4fe4-88b1-02f40aed93a9": { "rule_name": "Command Obfuscation via Unicode Modifier Letters", "sha256": "45fa53855ae8537315bde347efa3cf473c4337ad0ebf67a01599501247d6c287", "type": "eql", - "version": 3 + "version": 4 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "rule_name": "Potential Suspicious File Edit", "sha256": "bc478d05a000303ff85de650bc9b7604b2b57a7444f80337b05fca226b44d9a1", "type": "eql", - "version": 110 + "version": 111 }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { "rule_name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)", "sha256": "771ca76a55853827aa9d3ea8bd44a66201d54913b3bc91e9e331a2dbdf94e5e7", "type": "esql", - "version": 9 + "version": 10 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "Deprecated - AWS RDS Security Group Creation", @@ -3012,7 +3018,7 @@ "rule_name": "Entra ID High Risk Sign-in", "sha256": "dd4b0b5074d56377ff3963b0e687dbe6e92954a3604dd00a66f4749fcff3c16b", "type": "query", - "version": 111 + "version": 112 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", @@ -3024,13 +3030,13 @@ "rule_name": "AWS SSM `SendCommand` Execution by Rare User", "sha256": "b88228a38401d3cfaf88a020153942655bee03db41be8d1b12f2d0468b9a694a", "type": "new_terms", - "version": 216 + "version": 217 }, "37cb6756-8892-4af3-a6bd-ddc56db0069d": { "rule_name": "Disabling Lsa Protection via Registry Modification", "sha256": "c647076f76477dd2aa512614840acda934b1f94328c2a08ba9db4111d921b1c2", "type": "eql", - "version": 7 + "version": 8 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { "min_stack_version": "9.4", @@ -3046,110 +3052,110 @@ "rule_name": "Spike in User Account Management Events", "sha256": "8f1c726255a1e3944db11d55a3907a360b2e08797aa0a0789c2980987625af7f", "type": "machine_learning", - "version": 104 + "version": 105 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "3be1e2737e17c3a4630ef9d45bc0d60c92d160dd2a665283457ac04e3c122a97", "type": "eql", - "version": 212 + "version": 213 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "rule_name": "Attempted Bypass of Okta MFA", "sha256": "d497cf9ebba367ccc27ffa60c83adad1b1c4ca123ed732867ca75c61a9e34383", "type": "query", - "version": 415 + "version": 416 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", "sha256": "5e7901e98b0caf7d6571576af6676f95d6a1f8af52f4b9f99a6b7ffe6c6ea881", "type": "eql", - "version": 219 + "version": 220 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with Osascript", "sha256": "82a7a287cd5ac7dcb591e035ffdecd15f555737bed999611a2fc015ac0aeeb4e", "type": "eql", - "version": 215 + "version": 216 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Impossible Travel Location", "sha256": "dcf59b2a5eb9cea3fa3b28c42371c01991bf37cf31e626317797923adb7af039", "type": "threshold", - "version": 10 + "version": 11 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "Entra ID User Added as Service Principal Owner", "sha256": "8391a444b3933bf47281a3af89558637258d16499151f4d19fb9bd5010de3f72", "type": "query", - "version": 109 + "version": 110 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { "rule_name": "External User Added to Google Workspace Group", "sha256": "1d4f576cece46f98cac0186d4b7686f927c4329e6bf393a9cbd159dbfb4770d9", "type": "eql", - "version": 7 + "version": 8 }, "39029450-8e2d-4034-81b0-15af8e4e3a4e": { "min_stack_version": "9.3", "rule_name": "Nsenter Execution with Target Flag Inside Container", "sha256": "012976abca9dfba1327ea6926edf0cf40d0126e26937b9ba13570d2367d1af56", "type": "eql", - "version": 1 + "version": 2 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "fd463b53155f11c4465a2ebddd880793fb50c8d7cbb164ae7e172dae791842f3", "type": "query", - "version": 213 + "version": 214 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", "sha256": "0cd2d8329df50935d117f1e8f8cbd8a6b749d5098aea10fb2ce8095fd4b8e0ce", "type": "eql", - "version": 7 + "version": 8 }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "ea50abca6b44953d8810e58b35a4ab0f2e456efc1ccb2adb65d1840d162060f7", + "sha256": "57cb5c793a1562360738c9ecc43ca2dbfa62d0d194f6bd2e5299f49bf0ce2b12", "type": "esql", - "version": 8 + "version": 10 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "d1265b8223c6c20063ff460b62984e6ca6f864de6a66513d32508de2ade0d0bb", "type": "eql", - "version": 314 + "version": 315 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", "sha256": "ba955d67667f012e2b16b7f60f9d67344026b1c6964d11f2dd1da09cd04fa97e", "type": "eql", - "version": 8 + "version": 9 }, "3a01e5c6-ce01-46d7-ac9f-52dc349695fb": { "rule_name": "Kubernetes Anonymous User Create/Update/Patch Pods Request", "sha256": "7f2bf812108252f0c2cec448e9f10dfff725021983a612df901b4dd4d36b49c7", "type": "eql", - "version": 3 + "version": 4 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "046338d3b95b4b4a22498cb8fdd538e20619623197e2a583d8477e82f2f07c9c", "type": "eql", - "version": 316 + "version": 317 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", "sha256": "796e8f216c09cde2bcb8f6dea7f1570c7759d3a27fe86d229895f85ff629118d", "type": "eql", - "version": 15 + "version": 16 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "rule_name": "Rapid7 Threat Command CVEs Correlation", "sha256": "578f758b47b1aead0b38e093c09d6cf0b68b2f4f3b8412cb9e7a7aec89f7c7c9", "type": "threat_match", - "version": 107 + "version": 108 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -3161,37 +3167,37 @@ "rule_name": "WDAC Policy File by an Unusual Process", "sha256": "bd13988291b5cb72058e02ddbb6ad4616961a1b28e358601ef15c1d62837d8e6", "type": "eql", - "version": 7 + "version": 8 }, "3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": { "rule_name": "External IP Address Discovery via Curl", "sha256": "8b76cd9c1817c00cade7709946be584ee7ae14b634434ca378634e3d717e5172", "type": "eql", - "version": 1 + "version": 2 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "6c9b9155e809656088fdd932c9134a2986d4809c75cadec68224554ef6c76397", "type": "query", - "version": 111 + "version": 112 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure VNet Full Network Packet Capture Enabled", "sha256": "e200432935afd9d703887c7f3ef678e67887553e91570a46e0f59f266667eb62", "type": "query", - "version": 110 + "version": 111 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "9b60a36c69eb59819eabf8baff81ce0f4d7f7c8663d59efc062d57990122d231", "type": "new_terms", - "version": 207 + "version": 208 }, "3aff6ab1-18bd-427e-9d4c-c5732110c261": { "rule_name": "Suspicious Kernel Feature Activity", "sha256": "e15b8360b5fa96f7f261912197ae09404a3268f8229561e6bcc3f39b7d56448b", "type": "eql", - "version": 5 + "version": 6 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -3203,31 +3209,31 @@ "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "ad8c4fc9a44c93f4c1ca79d8954e509b790c3bd3199a8ea3bcdc21e55aee6a8d", "type": "eql", - "version": 418 + "version": 419 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", "sha256": "9354b45311be9fe16a9acb746a33c1bd4a40f927d7efdef1f097f9708c29702d", "type": "eql", - "version": 321 + "version": 322 }, "3c216ace-2633-4911-9aac-b61d4dc320e8": { "rule_name": "SSH Authorized Keys File Deletion", "sha256": "8ccc9ffefdcb3516217cb8bcec790571ad1559f608b2eb380758df09de98a993", "type": "eql", - "version": 6 + "version": 7 }, "3c3f65b8-e8b4-11ef-9511-f661ea17fbce": { "rule_name": "AWS SNS Topic Created by Rare User", "sha256": "3216757a897e26e81d8b37469ca11d9cd83cf3bde8bc78df45c871a1e4051459", "type": "new_terms", - "version": 6 + "version": 7 }, "3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7": { "rule_name": "AWS GuardDuty Member Account Manipulation", "sha256": "a40514c715a70b1163a1e1f528f68857ffc2122ec3f68c23b33c12e87aee77c9", "type": "query", - "version": 2 + "version": 3 }, "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": { "min_stack_version": "9.3", @@ -3243,7 +3249,7 @@ "rule_name": "Potential Impersonation Attempt via Kubectl", "sha256": "6f05c685fff2f027e142e25e5d1e4228ecf4ff2b4714298055101681504880f5", "type": "eql", - "version": 104 + "version": 105 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "9.4", @@ -3259,43 +3265,43 @@ "rule_name": "Unusual Linux Network Port Activity", "sha256": "21ab8bdde2ddb498cb6c6edcdfd953b4b9690ca4b6075b3281943bbb160799e3", "type": "machine_learning", - "version": 209 + "version": 210 }, "3c82bf84-5941-495b-ac41-0302f28e1a90": { "rule_name": "Kubernetes Sensitive RBAC Change Followed by Workload Modification", "sha256": "f137913826f4dfb346b155061fef745d733d9ac84ad693ed6646cd5fa68123b8", "type": "eql", - "version": 3 + "version": 4 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", "sha256": "b6ed31a8880a5bf50d74e9dcc03e8b2cb2a5102bcb585e66bfe54222fb8eb4d7", "type": "eql", - "version": 7 + "version": 8 }, "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { "rule_name": "Unusual Pkexec Execution", "sha256": "fe48ab4d99dcee0d5c5d78d13fd52a051728cc3f40f8e2da36a99717430d3944", "type": "new_terms", - "version": 107 + "version": 108 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "b1672954e193a08ee14cf25ad9a926ef7c6d72374b4b36e9fa0067a9ee840fe4", "type": "eql", - "version": 211 + "version": 212 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "c659f3531861796f257f84b285c8bc268159860e17ada2092b5ddb0004cc8f68", "type": "query", - "version": 211 + "version": 212 }, "3db029b3-fbb7-4697-ad07-33cbfd5bd080": { "rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins", "sha256": "00f3734aeadad18ecaa1bb530c67b46dd2d9a77276365492a19c14fc174dea3a", "type": "esql", - "version": 6 + "version": 7 }, "3dc4e312-346b-4a10-b05f-450e1eeab91c": { "min_stack_version": "9.3", @@ -3308,13 +3314,13 @@ "rule_name": "AWS SNS Rare Protocol Subscription by User", "sha256": "32680ca1127f1b7e76119a007029e178da00282028a5aa539ca6d3520f448c0f", "type": "new_terms", - "version": 10 + "version": 11 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", "sha256": "781c416727462ac0e014347828b7c261ba04967713972c298db7516882f130ba", "type": "query", - "version": 215 + "version": 216 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "min_stack_version": "9.4", @@ -3330,55 +3336,55 @@ "rule_name": "Spike in Number of Connections Made from a Source IP", "sha256": "81349653c7bef22cf29580e3ace788925cb5a9d8b543e05fb97f9a36da0e0796", "type": "machine_learning", - "version": 109 + "version": 110 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "d63e463099820ef415fca37e369392f17e227ba4229ff8aa8e48ff9dac348e8b", "type": "eql", - "version": 213 + "version": 214 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", "sha256": "0a649a755936c4b5da4883d2cb39416fee6ed20ff38954671bfa71ebcf3d8581", "type": "eql", - "version": 8 + "version": 9 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", "sha256": "c586b75e397cda63031abb53a78c714e80a8a1dfb2d133d0e35827dcba2a6902", "type": "eql", - "version": 113 + "version": 114 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", "sha256": "5dc58754cc4f82d45abfe4dc812f1a4e4823e795adf94e534fd630f2b61d6105", "type": "eql", - "version": 8 + "version": 9 }, "3e528511-7316-4a6e-83da-61b5f1c07fd4": { "rule_name": "Remote File Creation in World Writeable Directory", "sha256": "fc8e3c202ef830d2941a6ad711b2144582b8312d846d1a75ced12e2f63f22a80", "type": "new_terms", - "version": 7 + "version": 8 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "4fe6e4dfb6e7e93063fa4911b3c2025b8492162b1f28e177045abb5224eb1bbc", "type": "eql", - "version": 319 + "version": 320 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "rule_name": "Suspicious Process Creation CallTrace", "sha256": "eac8a62ca1cd0d0965dc5352545dc9eb7341fceab8cbfa3a9d801b1534511f08", "type": "eql", - "version": 312 + "version": 313 }, "3ee526ce-1f26-45dd-9358-c23100d1121f": { "rule_name": "Linux Audio Recording Activity Detected", "sha256": "25b189c8cc3cec6eaf6f44babd229e8590b233434678bbfcdacb28cdd93364f5", "type": "new_terms", - "version": 2 + "version": 3 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", @@ -3390,31 +3396,31 @@ "rule_name": "CyberArk Privileged Access Security Error", "sha256": "149a70bdcd76cf9bf067b2539841f715ee8df3aa2773e8f4505c24ecda648101", "type": "query", - "version": 106 + "version": 107 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", "sha256": "94be773db4ae46451aaa962d086a75466bbd8d1a8f6afdd666d19cf0b51bdcde", "type": "eql", - "version": 12 + "version": 13 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", "sha256": "d0213728bd6f84baef92aa0cfd3502dddef5d9b975a87ca21fabbded914ca935", "type": "eql", - "version": 116 + "version": 117 }, "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": { "rule_name": "Potential Data Exfiltration via Rclone", "sha256": "654c6762675bbe2e86e2cdc5f2883647739cb1d40a8231cdd3156fd69752ad41", "type": "eql", - "version": 4 + "version": 5 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", "sha256": "69d7a45361fa360c7008395ce81012bd3497330d2b62c25ebfd1913cbd58a87b", "type": "new_terms", - "version": 7 + "version": 8 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "min_stack_version": "9.4", @@ -3430,25 +3436,25 @@ "rule_name": "Unusual Time or Day for an RDP Session", "sha256": "88291719875740ebfe930f0d6526a42e8de7f03c6c6eb67af3bfaa96b77b400d", "type": "machine_learning", - "version": 109 + "version": 110 }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { "rule_name": "Command Execution via ForFiles", "sha256": "02b65a2a6c93487298996a9bfedaedb4d1436598cb4267292ef241ebc36be63e", "type": "eql", - "version": 7 + "version": 8 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "rule_name": "Entra ID MFA TOTP Brute Force Attempted", "sha256": "0c901fa65426f1462fb80e4ca2d1faf929654f311d89f202a3280dc35c9ab403", "type": "esql", - "version": 9 + "version": 10 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", "sha256": "719051601ba7f4bc360e488b3f96c381ddee61bc0d99d586137c39964715592e", "type": "eql", - "version": 108 + "version": 109 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "9.4", @@ -3464,91 +3470,91 @@ "rule_name": "Unusual Process Spawned by a User", "sha256": "cb675206bfdfdbd51d00586a43ad5ab1b7a4b7cf9df4e553b7a9d967e5f1d711", "type": "machine_learning", - "version": 211 + "version": 212 }, "4021e78d-5293-48d3-adee-a70fa4c18fab": { "rule_name": "Potential Azure OpenAI Model Theft", - "sha256": "95545a1f85bdb02d2df6d31c2bd4f9fc0c6ad61f606abc56c7b749ec0823064c", + "sha256": "f5943841572ea047091c8d64f568053c517e10ee41b48cb5f13a403583415c62", "type": "esql", - "version": 5 + "version": 7 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "rule_name": "GitHub User Blocked From Organization", "sha256": "7b0f9689a8a45ba9dde72567402b194089a439875f380ef1ece3fbea910dfe3a", "type": "eql", - "version": 206 + "version": 207 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", "sha256": "8672a0625e04b58e7bbe56de0f48ddd08dee74082cfb85e5dc0eb2a5fe9209a2", "type": "eql", - "version": 318 + "version": 319 }, "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": { "rule_name": "New GitHub Self Hosted Action Runner", "sha256": "8bc6935db6bda5ca9d6adfaf7c46a30e9041e429a474d22fb9bea08e8129f9e2", "type": "new_terms", - "version": 4 + "version": 5 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", "sha256": "07ed14815a1ee29d7a2ff5875f8b1a3077e662274428187236ecfb4fc4c0cb80", "type": "new_terms", - "version": 112 + "version": 113 }, "40e60816-5122-11f0-9caa-f661ea17fbcd": { "rule_name": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected", "sha256": "e79dc5d558b08aa2d6a5ac711b6839d68982ebf44258c71d341bd4fa6f8a122c", "type": "eql", - "version": 5 + "version": 6 }, "40fe11c2-376e-11f0-9a82-f661ea17fbcd": { "rule_name": "M365 Exchange Inbox Phishing Evasion Rule Created", "sha256": "070959c714f7a09d058737cad7ec89cc9e40d1ead7af7e3e6b3448b52335f045", "type": "new_terms", - "version": 5 + "version": 6 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "rule_name": "Unix Socket Connection", "sha256": "50405e170ddbf72168eb26b96b10d0ddeef2da2ea25dbc04fd4820ec47ce4aef", "type": "eql", - "version": 109 + "version": 110 }, "41554afd-d839-4cc2-b185-170ac01cbefc": { "rule_name": "AWS Sensitive IAM Operations Performed via CloudShell", "sha256": "f35e27ff8f1f926289ec4c5333d1a66e6a4b7bb6e3d244d9024e2e87f621ec0d", "type": "query", - "version": 3 + "version": 4 }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "ecc40ef6f1887e2552a67ac50b893a78045aa90c933ed8ef9dba6dbc5db45679", "type": "eql", - "version": 319 + "version": 320 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "a44f29bc649117953df7644b522fe34d02e04792ce1995c96d63aefa46581be4", "type": "new_terms", - "version": 207 + "version": 208 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "Deprecated - EggShell Backdoor Execution", "sha256": "ad194c072b22ac1d47da8069b2c2cda6478e3fd76ec7f8dd2e6914f3328b7ecb", "type": "query", - "version": 107 + "version": 108 }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", "sha256": "a194f601c0396232cfc2cf076aec26674df35dbebda99b88ba26210ab1342940", "type": "eql", - "version": 10 + "version": 11 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", "sha256": "5117bb1a4b1e01d38cf252aea6b1d85875d355d76d43d8355a82c5e6c8b94ec8", "type": "eql", - "version": 111 + "version": 112 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { "min_stack_version": "9.3", @@ -3564,7 +3570,7 @@ "rule_name": "Mount Execution Detected via Defend for Containers", "sha256": "4aea5af437fef5fae47cf6ed305293ff950199332e2fb03503525348f1b6cbb6", "type": "eql", - "version": 103 + "version": 104 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { "min_stack_version": "9.3", @@ -3580,38 +3586,38 @@ "rule_name": "Interactive Exec Into Container Detected via Defend for Containers", "sha256": "3beffdc64d3c80e62705d9f9f3a6b6fc92f18bd94136f30202711303713d78b3", "type": "eql", - "version": 104 + "version": 105 }, "428e9109-dc13-4ae9-84cb-100464d4c6fa": { "rule_name": "Unusual Login via System User", "sha256": "5b2247172cc6a9ec4fb03f5f3bb198e0ebbe37e546e0742e0a78510f59e8ba6e", "type": "new_terms", - "version": 7 + "version": 8 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "rule_name": "Potential Okta Password Spray (Single Source)", "sha256": "d564134d98af7a3d81f0386dc3680e01e1259752b63bdb4657a1220d9d26a3c2", "type": "esql", - "version": 418 + "version": 419 }, "42c97e6e-60c3-11f0-832a-f661ea17fbcd": { "rule_name": "Entra ID External Authentication Methods (EAM) Modified", "sha256": "1a5cfbafaa947d1a30a0e36172836401d4ae9185aa8bc05e1c51245e1adeb397", "type": "new_terms", - "version": 4 + "version": 5 }, "42de0740-8ed8-4b8b-995c-635b56a8bbf4": { "min_stack_version": "9.3", "rule_name": "Kubelet Certificate File Access Detected via Defend for Containers", "sha256": "5607487040f92b7d283e36023a5fe5282bf400d31b48f4dbf1eb2ebc42106dca", "type": "eql", - "version": 2 + "version": 3 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "rule_name": "Process Creation via Secondary Logon", "sha256": "dbeba92d4f831b5f36a5a0d99766eb50182c1b60eade9a6452880f4ceb9db0d0", "type": "eql", - "version": 116 + "version": 117 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "9.4", @@ -3627,7 +3633,7 @@ "rule_name": "Unusual Login Activity", "sha256": "ceada163683a969ff0c09eeb47c2a6548ed0c5540c6489baaba37e1279299e79", "type": "machine_learning", - "version": 207 + "version": 208 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -3639,20 +3645,20 @@ "rule_name": "Linux User Added to Privileged Group", "sha256": "4087c9d1fa0fbd63a5994e714de0043354219e1486a90d369e6f9568db609f9b", "type": "eql", - "version": 114 + "version": 115 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "faa296ace7afe520ea4ef4a8f94e73bdaabf18a3fdff2491b9411910a92c7b26", "type": "eql", - "version": 316 + "version": 317 }, "444c8fad-874f-4f59-b0ea-cf26cea478bd": { "min_stack_version": "9.2", "rule_name": "AWS Account Discovery By Rare User", "sha256": "ca6ee51c94c13583db988064c27811dd1667e2ed0c6f855641192291f42480b9", "type": "new_terms", - "version": 2 + "version": 3 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "9.4", @@ -3668,31 +3674,31 @@ "rule_name": "Unusual Windows Path Activity", "sha256": "9521887c113dba587810eda8d843fae683aa907a35cb28d192ad2af4fea6f05c", "type": "machine_learning", - "version": 310 + "version": 311 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", "sha256": "a3ea7556a748c2042b4ddc53356093c97193a916b4a367701ae9c45c75e2d656", "type": "eql", - "version": 7 + "version": 8 }, "44cb1d8a-1922-4fc0-a00f-36c1caf57393": { "rule_name": "Potential snap-confine Privilege Escalation via CVE-2026-3888", "sha256": "2914fe3d40dd1b622e50c819001ef6f6841a9ab90204059631fee0d078b93a01", "type": "eql", - "version": 2 + "version": 3 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "rule_name": "Multiple Vault Web Credentials Read", "sha256": "4674d5f4a49d989f5bd2e7c5a3c68c4cb0b3c01bd3785dbaf23d881418bbd326", "type": "eql", - "version": 116 + "version": 117 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { "rule_name": "AWS Route 53 Resolver Query Log Configuration Deleted", "sha256": "bdcca3f4e0bc64249b3b8122881ea1261a2d6730802c955c30624c65a57f137f", "type": "query", - "version": 8 + "version": 9 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", @@ -3705,50 +3711,50 @@ "rule_name": "Rare Powershell Script", "sha256": "9c0511f7439e1c00c5d8282719bc8a3a3264846f0c2da4f4f9ee4cdcf7ec335f", "type": "machine_learning", - "version": 1 + "version": 2 }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", "sha256": "e7c9e715dfc5202e3726e02eb0845d9ebc862820f8d6f38bbc831db9a30afacf", "type": "eql", - "version": 8 + "version": 9 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", "sha256": "5dbb2ba25bb9773b3f4cbfe7113bdfbea3297b4abe47e86d665329d81f9ce439", "type": "query", - "version": 216 + "version": 217 }, "45d099b4-a12e-4913-951c-0129f73efb41": { "min_stack_version": "9.2", "rule_name": "Web Server Potential Remote File Inclusion Activity", - "sha256": "eac6dd3f878185bf383aa944ce7171b5ac8f06bbac00216eda18a5633aaef77c", + "sha256": "55cccf9030c37cae0a910817ffe302dbd00b099b549e8f0441949be7a4241d47", "type": "esql", - "version": 5 + "version": 7 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "0ccdfbb0e5e5ffd32a9233c3ddf4f8302da0fb0f0850ce2f8d4581d3fbb3b3e5", "type": "eql", - "version": 220 + "version": 221 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "564bb0d746bd663f81363cdf9ac732590b9f53cb2de5ba98a67f800fb3539a31", "type": "eql", - "version": 321 + "version": 322 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "930128205c02f5c7f26427faefeb2d4bab4bebdacf586a93b0aa5017bef1e78b", "type": "eql", - "version": 318 + "version": 319 }, "46b01bb5-cff2-4a00-9f87-c041d9eab554": { "rule_name": "Browser Process Spawned from an Unusual Parent", "sha256": "9b29139c1b7fd40c89143857a62a03aa09c8e7963ef54f650fff4224dc441f21", "type": "eql", - "version": 4 + "version": 5 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "9.4", @@ -3764,31 +3770,31 @@ "rule_name": "Unusual Process For a Linux Host", "sha256": "e3f402cd3a598b9f2569f90d33ef2259c22ad46f3dc1bdc3c4c5b17eec84f8bf", "type": "machine_learning", - "version": 208 + "version": 209 }, "472b4944-d810-43cf-83dc-7d080ae1b8dd": { "rule_name": "Multiple Cloud Secrets Accessed by Source Address", "sha256": "5e4eae6eda373ea926bb58a7a366c5a8f2927a722bf046ea56b6c12f05a39d09", "type": "esql", - "version": 6 + "version": 7 }, "47403d72-3ee2-4752-a676-19dc8ff2b9d6": { "rule_name": "AWS IAM OIDC Provider Created by Rare User", "sha256": "2b8214da1cdbd0bc040957a0d7526d484399595432c8a33204adcf6632c40bc7", "type": "new_terms", - "version": 3 + "version": 4 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "System V Init Script Created", "sha256": "a68393a005eedad66f216d14894d34d69d69ddf143cc9fa39a2f535685870c6b", "type": "eql", - "version": 119 + "version": 120 }, "47595dea-452b-4d37-b82d-6dd691325139": { "rule_name": "Credential Access via TruffleHog Execution", "sha256": "80cd369aeb6877b1db2b6c12d1783ea6a5d0a624fa9017500b34cad571cef398", "type": "eql", - "version": 4 + "version": 5 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "9.3", @@ -3804,32 +3810,32 @@ "rule_name": "Sensitive File Compression Detected via Defend for Containers", "sha256": "731ba52a513156d8a87d316d77433a64170711f97dc7f177f3f719aea71b3314", "type": "eql", - "version": 105 + "version": 106 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { "rule_name": "Cupsd or Foomatic-rip Shell Execution", "sha256": "653a7ef1791236e63f96af404c6b02046875b405b8037d13ccb1a3e7998ba6fd", "type": "eql", - "version": 107 + "version": 108 }, "47661529-15ed-4848-93da-9fbded7a3a0e": { "min_stack_version": "9.3", "rule_name": "Chroot Execution Detected via Defend for Containers", "sha256": "59db7a4c53b4f3ddb4207c6491c7bd8d81c264d0c04da5d8788ab834607b79d7", "type": "eql", - "version": 2 + "version": 3 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "a5af415e1f2c7a456ca9118e3e4597cc2b0b71a212a73a2fa72bda8e0830cac8", "type": "eql", - "version": 218 + "version": 219 }, "47e46d85-3963-44a0-b856-bccff48f8676": { "rule_name": "DNS Request for IP Lookup Service via Unsigned Binary", "sha256": "5507c058a6bcd349f879a5f5b392db5d4cc807eb70ed4a818f9712aefe6e45a4", "type": "eql", - "version": 2 + "version": 3 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -3841,92 +3847,92 @@ "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "938566ecdd4b7685b7907233ea57cfe0cb348a40ac06c7eb2716b07aab912725", "type": "eql", - "version": 113 + "version": 114 }, "47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5": { "rule_name": "Potential Database Dumping Activity", "sha256": "aad1b6a1095cc1013ae935d6e8045119e05fe3ef4f5834c1f9127be2395959e7", "type": "eql", - "version": 2 + "version": 3 }, "483832a8-ffdd-4e11-8e96-e0224f7bda9b": { "min_stack_version": "9.2", "rule_name": "New USB Storage Device Mounted", "sha256": "68046728274c9ab9c11bc0b39e461e49b9a9b9848f71d7011fe77d57ba59496e", "type": "new_terms", - "version": 2 + "version": 3 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "5a1aba147a9b9f814d2d1b09cd541b22ae6d611c7fd6f3188f5920edab8078c0", "type": "eql", - "version": 318 + "version": 319 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "M365 Exchange Mailbox Accessed by Unusual Client", "sha256": "8a10e8db5467f33d67e8ed3dca2f5a1d079e9d210603960f09e9db3ea9d997c7", "type": "new_terms", - "version": 113 + "version": 114 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", "sha256": "e0d23e8a4ce93e59d053897dac95bd93ea4007fea82aa10026eb0f9cb6aa98c0", "type": "eql", - "version": 15 + "version": 16 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "13da83ae4ff6203a49a32508015f5afa1857f4551dfcaad34b06c929cf1e6a56", "type": "esql", - "version": 119 + "version": 120 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", "sha256": "be6c7b51b8751b54b6b8c450645ccbe983f6d0ad6b84552de2019226faae60b8", "type": "eql", - "version": 111 + "version": 112 }, "48e60a73-08e8-42aa-8f51-4ed92c64dbea": { "rule_name": "Suspicious Microsoft HTML Application Child Process", "sha256": "7c56c9e26607fba3339913474442ef3d7bfbf6293b5c99f54d2eb96881fade95", "type": "eql", - "version": 4 + "version": 5 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "20d159f7d05efe06ca199cdaaa7dbfd309d575bb0863bb8a3abb182ce79e8ac5", "type": "eql", - "version": 110 + "version": 111 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "rule_name": "Remote XSL Script Execution via COM", "sha256": "f1c328ae4209f8dd970135e0448fcc4570c22a584600e6623a6e7b834d57b7a0", "type": "eql", - "version": 8 + "version": 9 }, "491651da-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint/OneDrive File Access via PowerShell", "sha256": "85739e22b434b14be9315877943b9eb3b82ce63928b065f96cb4631cb598768c", "type": "new_terms", - "version": 4 + "version": 5 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "d94a4754a0bac94045cb963405493f79639e4750d53db7855347719f027c7a91", + "sha256": "341a8470ad5c7618b7be6e4a50d4bd34a9b8d4df9f021843baa58f4d22af7514", "type": "esql", - "version": 107 + "version": 109 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "rule_name": "Potential Linux Backdoor User Account Creation", "sha256": "9365957412d43c05676cc64a16e5849fea6369fb83f1f3bc6433834987b4d0c1", "type": "eql", - "version": 114 + "version": 115 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "6d87b2fabfb96262dab24abba760dd06624e339e6f6754d5b80da802c4fcc200", "type": "query", - "version": 111 + "version": 112 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", @@ -3939,13 +3945,13 @@ "rule_name": "Web Server Exploitation Detected via Defend for Containers", "sha256": "4f015b58f7cc44127fa2338b2af0178f6882ee823df52179f218821a49ec03e8", "type": "eql", - "version": 3 + "version": 4 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "rule_name": "Process Discovery Using Built-in Tools", "sha256": "547cc7d9e89793916feda5f91bfa09fcdb1001369b259f28b1d90f8790b0c8b7", "type": "eql", - "version": 111 + "version": 112 }, "498e4094-60e7-11f0-8847-f661ea17fbcd": { "min_stack_version": "9.2", @@ -3968,7 +3974,7 @@ "rule_name": "Entra ID Federated Identity Credential Issuer Modified", "sha256": "75ce697b7ebba19a90b13ad5c2a00f716b1136889ac57cf0454fb38d2abf3033", "type": "esql", - "version": 209 + "version": 210 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -3980,7 +3986,7 @@ "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", "sha256": "ebb411cb6d8deec435be6983e89ff05cf986d078ea776de1c513732dad30a8a8", "type": "eql", - "version": 111 + "version": 112 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", @@ -3992,7 +3998,13 @@ "rule_name": "Connection to Common Large Language Model Endpoints", "sha256": "e3a857464bccee09ed43658511ac90b4b5e1ab9d35a7e6f562e8222fb1c31356", "type": "eql", - "version": 6 + "version": 7 + }, + "4b11dbab-ce37-49c4-bdf1-cdf64b405d96": { + "rule_name": "Entra ID Kali365 Default User-Agent Detected", + "sha256": "d8759e78bb798855a5a61d818a59707d86bb975918b0089e301ce67513530d2d", + "type": "query", + "version": 1 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", @@ -4004,13 +4016,13 @@ "rule_name": "Entra ID Protection - Risk Detection - User Risk", "sha256": "5df9119f737237a17d5b11d6333596ed6cccdcea1c3d4ddb2115cee9fdf15a27", "type": "query", - "version": 4 + "version": 5 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "712e9f27b5d709ea5f42c73b492a3eb4b4c9d9a749c11b25a0c40218cf62765a", "type": "eql", - "version": 317 + "version": 318 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "9.3", @@ -4026,25 +4038,25 @@ "rule_name": "Container Workload Protection", "sha256": "498945c61a0e56d7dee2199258dd45db789fe0034e64cf69ce36b49ebf2a1568", "type": "query", - "version": 106 + "version": 107 }, "4b74d3b0-416e-4099-b432-677e1cd098cc": { "rule_name": "Container Management Utility Run Inside A Container", "sha256": "4b1c24e5e2fb7b93b9cab43640dcb67a1a8d8023080af350342420b412d954a3", "type": "eql", - "version": 5 + "version": 6 }, "4b77d382-b78e-4aae-85a0-8841b80e4fc4": { "rule_name": "Kubernetes Forbidden Request from Unusual User Agent", "sha256": "88773d78b14a1bcdf590ca88cafbe442d00a5a49f47b498e65a6ac6d4a767133", "type": "new_terms", - "version": 6 + "version": 7 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "rule_name": "ProxyChains Activity", "sha256": "68defaeb26fa351359ae0446628962b14803c4baeff4ee68daf60bf8947ef046", "type": "eql", - "version": 110 + "version": 111 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "min_stack_version": "9.4", @@ -4060,134 +4072,134 @@ "rule_name": "Unusual Process Writing Data to an External Device", "sha256": "1589cefc5200c7e7996d5300845a603f75f00b8ae38c6b4aaf586efc53f66089", "type": "machine_learning", - "version": 108 + "version": 109 }, "4bae6c34-57be-403a-a556-e48f9ecef0b7": { "rule_name": "M365 Quarantine and Hygiene Signal", "sha256": "f2d1e7436634073de94351647b98d9e406d09f11b6250cd96fef280126632366", "type": "query", - "version": 2 + "version": 3 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "ed8dcb92cfeba3e300ed4a8d4692886005db714dc1ec5c71e5b68c0da285cde6", "type": "eql", - "version": 316 + "version": 317 }, "4bd306f9-ee89-4083-91af-e61ed5c42b9a": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Access Followed by Kubernetes API Request", "sha256": "2bd3b29bb1de58aceb5f105d638bee45273c848f3ee80c7cee83e90a04964ee5", "type": "eql", - "version": 3 + "version": 4 }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", "sha256": "7836bbad444d51d5c8299aea810ea766e37ff1aaa90696ff4de74a6882d1fa3a", "type": "new_terms", - "version": 7 + "version": 8 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "rule_name": "PowerShell Share Enumeration Script", "sha256": "53e870fdfb17df75e77e5625dad994b7014b21b3b90229e0436817acaa6aad78", "type": "query", - "version": 116 + "version": 117 }, "4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c": { "rule_name": "Azure Storage Account Blob Public Access Enabled", "sha256": "3a0186ed0069a6b04d772c0376819879b9f3230c5f97929c81fa54bb2ba09635", "type": "new_terms", - "version": 2 + "version": 3 }, "4d169db7-0323-4157-9ad3-ea5ece9019c9": { "rule_name": "Potential NetNTLMv1 Downgrade Attack", "sha256": "66c44401346ad331eee974206935f1739356fbdfa1c05b5c43a96d00aa7cf0d2", "type": "eql", - "version": 5 + "version": 6 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "rule_name": "Kernel Load or Unload via Kexec Detected", "sha256": "ed5b0ee6f9acc299b7d681c6c248927820ed37d3afde535bbf22d1f88c8a5d38", "type": "eql", - "version": 113 + "version": 114 }, "4d4cda2b-9aad-4702-a0a2-75952bd6a77c": { "rule_name": "Docker Release File Creation", "sha256": "fcf46bfd3250345e843693606f5fb82feefdc1be32b6a5f2b0f4a2ba0f09777d", "type": "eql", - "version": 4 + "version": 5 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "33007e4af04655ed7b7d38d9aa4047437e04c7a32a683fb1d94d0c6f9c0126bc", "type": "threshold", - "version": 214 + "version": 215 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", "sha256": "15628d00707d5cb8162b39822a54eaefbaba7cacec4fe61de572319ea4b25767", "type": "eql", - "version": 111 + "version": 112 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "2547fbd8709d4cf9e8f4bd0048a897e98859ec4f7ab564261d6a52e38f94d2ef", "type": "eql", - "version": 320 + "version": 321 }, "4df91789-7859-4bc4-9c5a-6b56bfa81a8b": { "rule_name": "Kubernetes Service Account Token Created via TokenRequest API", "sha256": "0706a9e1eb235c20672104023108aba9b31558c357fbe714d749883acecfda4f", "type": "query", - "version": 1 + "version": 2 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "18af43592e9ea1cab61766146cc9e4060b3d000eea41d6ed6b5e839350b3e422", "type": "eql", - "version": 117 + "version": 118 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", "sha256": "3141b56172d9325f7e292f8848a1c32a7d10bbe33ba9a2d6876e5a8895c80063", "type": "eql", - "version": 115 + "version": 116 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "fee10156d1f4a3f29bc42acbf1ad6ee3ba381b251d656d9705905328d11f7503", "type": "new_terms", - "version": 319 + "version": 320 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Suspicious Script Object Execution", "sha256": "8b925f4de064a926ab17d2911e80bf6947d6e864da4aad5afcebc3491a482ecb", "type": "eql", - "version": 214 + "version": 215 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "rule_name": "Unauthorized Access to an Okta Application", "sha256": "86ae4800d9e3322d8946ef71eadb796219d883ca2d8b3772316c430eff73718e", "type": "query", - "version": 415 + "version": 416 }, "4f2654e4-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint Search for Sensitive Content", "sha256": "4bad672d48c22df5551ec3342e6f2c08bd9615a39c6c71edae46085f8673643c", "type": "eql", - "version": 2 + "version": 3 }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", "sha256": "991d514239a7588fb6359ef0829150e5fba13a68886bf02602eff1ce014b7a26", "type": "eql", - "version": 7 + "version": 8 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "rule_name": "Unusual High Confidence Content Filter Blocks Detected", - "sha256": "bbed7d005c3add1b1f91865e98385a1db6bab42d2c50a6f304be8f9987154da8", + "sha256": "0049ba0ec56c95ad65db5e90c32b96b6524f6b46b3ec05aa89ff6eedbc0a0a36", "type": "esql", - "version": 9 + "version": 11 }, "4f8f7c08-ffb5-443f-86c6-0884c964df7b": { "rule_name": "Kubernetes Admission Webhook Created or Modified", @@ -4199,97 +4211,97 @@ "rule_name": "Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource", "sha256": "d07ed0c823ebd2b302a39fbc13b2439306173a990c39383beb8bc13e3c30cf43", "type": "query", - "version": 1 + "version": 2 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", "sha256": "657a130aad7d1740532a346a2eb954f882688124f2deeef86f69ff060d2f4459", "type": "eql", - "version": 320 + "version": 321 }, "50742e15-c5ef-49c8-9a2d-31221d45af58": { "rule_name": "Okta Successful Login After Credential Attack", "sha256": "6dad6073685bd27507bd1019c4c661b33314e196d1df27fd1d6a4a26a3f6aa32", "type": "esql", - "version": 3 + "version": 4 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "9f970647e9f0660e49e6297139d0fac8dea160ad9a626410b76241e0e285dab4", "type": "threshold", - "version": 212 + "version": 213 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", "sha256": "38d2e2b85d115c468b86078187b4bf2e2692c83671f32a7800c8d87e8327865e", "type": "new_terms", - "version": 6 + "version": 7 }, "50eba7ec-d3f0-474c-a7f4-0906b68e350f": { "rule_name": "Suspicious SUID Binary Execution (Auditd Sequence)", "sha256": "ba5e9ec616ccbc315188f1f2b4bfae5ad1ebf11fba2f689c08b70842ebd5cada", "type": "eql", - "version": 1 + "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "rule_name": "Windows System Information Discovery", "sha256": "3f5f4187427fe60250c06d4030358ca518b17592c87d264baef1d7091a731c6a", "type": "eql", - "version": 112 + "version": 113 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "rule_name": "Hidden Files and Directories via Hidden Flag", "sha256": "00a937a6551df200e27af0c95020a908bd832f721000e682fd65f512541cc2c4", "type": "eql", - "version": 108 + "version": 109 }, "5134be90-42c1-4ac7-859c-4d82caaddbec": { "rule_name": "Proxy Shell Execution via Busybox", "sha256": "79b4ea149f88a2ee4fc8326864cadcd00ea7b142318e7e9100ab5c90dd688825", "type": "eql", - "version": 1 + "version": 2 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", "sha256": "f08796645892a9fa8f7c3b67c11e0245ae79f43f1da29dc7f672653ebf69815b", "type": "eql", - "version": 418 + "version": 419 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "M365 Exchange DKIM Signing Configuration Disabled", "sha256": "859bc8f0ef5f23b602f35c59bea15f012d43ae8c80cebb03c3b3b94220e29cd1", "type": "query", - "version": 213 + "version": 214 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", "sha256": "511c2959e42c07c74fe71b4f3da197e85d2a1fb979e23918829861b69aa0bd04", "type": "query", - "version": 109 + "version": 110 }, "5188c68e-d3de-4e96-994d-9e242269446f": { "rule_name": "Service DACL Modification via sc.exe", "sha256": "7b9b5cddfe539d530a81415222048a2f5018ed718b45baabb26fda249de04fbd", "type": "eql", - "version": 209 + "version": 210 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", "sha256": "a5c34d9923fd2894a45428381962c575b3377bb30cf355c2869e5344a4e04175", "type": "query", - "version": 8 + "version": 9 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "ace765a7fa2fadc50f7138dafefb3a3ce111971e47f2a4bbe14a21d8a2d616c1", "type": "eql", - "version": 213 + "version": 214 }, "5202697c-313b-4bf0-9029-73fe78cd4b6d": { "rule_name": "EKS Authentication Configuration Modified", "sha256": "39befeda3be5d3566310a0757695d7624f95477d5cc37e279a2385c1b36607be", "type": "query", - "version": 1 + "version": 2 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected", @@ -4301,32 +4313,32 @@ "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "0a394ab67c395bcdc27b3ad12d450d8ce316d1f4bb5eb00b82dc41ce9e6713d7", "type": "query", - "version": 212 + "version": 213 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", "sha256": "db0a78fa15e70e7486162d61b6f30566133d52e6433e0e9d7dc42ffbf6eeae48", "type": "eql", - "version": 119 + "version": 120 }, "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": { "min_stack_version": "9.3", "rule_name": "Tool Installation Detected via Defend for Containers", "sha256": "06b375e493f4b41424c0ca40c75d93d51a0530eaa4a352ee6d7853d70b04a0d3", "type": "eql", - "version": 4 + "version": 5 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", "sha256": "29634fdc3cfdb91140f35c87f79547edac1b9e106807a8cc21d7ee6b51912e87", "type": "eql", - "version": 4 + "version": 5 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "cde1e6487ebcc56f9050150c0378e2da7deff62ad47b9dab28c2794674535116", "type": "eql", - "version": 214 + "version": 215 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "9.4", @@ -4342,7 +4354,7 @@ "rule_name": "Unusual Linux Network Activity", "sha256": "c3933dcb86a4f1abdb07a73739d56f6fd50701e0ce42c766af4402e47f547ba6", "type": "machine_learning", - "version": 208 + "version": 209 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -4360,25 +4372,25 @@ "rule_name": "Suspicious CronTab Creation or Modification", "sha256": "06aa18b798246b990e22baa71af8b598ed63603682333c4694537075d56ce774", "type": "eql", - "version": 112 + "version": 113 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "9cf2ba4a67c472e0406c42262df0bb6ccddb11451ddcf29de0d5985842a08f96", "type": "new_terms", - "version": 15 + "version": 16 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System Deleted", "sha256": "8cf6dfd14e01e720347865eb598fe80c73084a718b4f5703b63d214db4d68052", "type": "query", - "version": 212 + "version": 213 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deleted", "sha256": "7ca60ba6ad3527a0ae4294e9191284da98a6981a9abccf9356442eafe415f24e", "type": "new_terms", - "version": 109 + "version": 110 }, "5378a829-30c2-435a-a0f2-e3d794bd6f80": { "min_stack_version": "9.4", @@ -4394,85 +4406,92 @@ "rule_name": "Rare GCP Audit Failure Event Code", "sha256": "c5481b8a55bd8c39a4b9d76e1630bd8329b9339cb43e40347317861244b7db02", "type": "machine_learning", - "version": 101 + "version": 102 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "rule_name": "Statistical Model Detected C2 Beaconing Activity", "sha256": "13ca397ec6553f6c993d68c532077536be213be3dee894a2609b0aaea9eade5e", "type": "query", - "version": 10 + "version": 11 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", "sha256": "792ed5fc6b0a36233bde6b5f3b81cb38c17352d64cb05bf7695a121087c373c2", "type": "eql", - "version": 319 + "version": 320 }, "53dedd83-1be7-430f-8026-363256395c8b": { "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "c082e3ac3a00dc4956ce3e96ea4ec33d0e3d82e54b0ccacc0ecbdcaea938c347", "type": "eql", - "version": 110 + "version": 111 }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", "sha256": "cd48b0f1d4115b1444172db9c6f59b8c60c75583bf5c511ba0df9ea374aa84f5", "type": "eql", - "version": 7 + "version": 8 }, "54214c47-be7c-4f6b-8ef2-78832f9f8f42": { "rule_name": "Network Connection to OAST Domain via Script Interpreter", "sha256": "1203b6747b51b4832b4ebefe2903731584e77306aacc9f20d75fbf1cf7d1c66e", "type": "eql", - "version": 2 + "version": 3 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", "sha256": "04bf11d21b2237ee52b0b88167f0cfa4fc196dde2f4fbfda8b651395b6ef1329", "type": "eql", - "version": 217 + "version": 218 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "bb8801610e32224071dc341162073ded5df413ddf4c2cdcfb9b7e8442242b149", "type": "query", - "version": 215 + "version": 216 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", "sha256": "3cff6043bb08ad2cb24e8d37adc43a86a8670e3e4d63ab64da8590469e6d827d", "type": "eql", - "version": 219 + "version": 220 }, "55a372b9-f5b6-4069-a089-8637c00609a2": { "rule_name": "First-Time FortiGate Administrator Login", - "sha256": "dc6756e17a5caafb08cff75318b119554d594cf173231c99c746ca29d50d8d3c", + "sha256": "c4fb1ff8ed2ffd5c051d400afa6f897da4a8354945f80a90f239233f10dc7f44", "type": "esql", - "version": 4 + "version": 6 + }, + "55be0398-e72d-4c02-a916-b11d62af0e29": { + "min_stack_version": "9.3", + "rule_name": "Uncommon DNS Request via Bun or Node.js", + "sha256": "d5c86e334453982f60b35cdb51cdd80067955f1c940ee53cdfb95c6fdb710904", + "type": "new_terms", + "version": 1 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "b5649c8ab6926d99ffe7da8140bf8d357b61e8cee079d84f7e6f83ec3b98d852", "type": "eql", - "version": 218 + "version": 219 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", "sha256": "af8f8b17e077e18ee55fe944de4a17281aedb7f00d55333d69560c44623fcfd7", "type": "eql", - "version": 214 + "version": 215 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "rule_name": "Windows Installer with Suspicious Properties", "sha256": "a8fdb430eef1c2a8a281cadce30763cc48c12db7cd45cafcc018d558cac60d8d", "type": "eql", - "version": 4 + "version": 5 }, "55f711c1-6b4d-4787-930d-c9317a885adf": { "rule_name": "Suspicious Execution with NodeJS", "sha256": "afa591418c578bdd961e701d31a05f0a953c1cd95151b2aef63107e7e00a5fe0", "type": "eql", - "version": 4 + "version": 5 }, "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "9.4", @@ -4488,61 +4507,61 @@ "rule_name": "Unusual Process Spawned by a Host", "sha256": "d1bc1e43d67b87351b3a10c4bd73b589d019f0eb8f4519a5fdd013f9c57732a8", "type": "machine_learning", - "version": 210 + "version": 211 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "9bc6208af462e05208a3ba998898d18819968882805d9c738507807be1b330c2", "type": "eql", - "version": 210 + "version": 211 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "8cf3c09ba2db0c7300a67369106a28725e2c5cc57e9c57d8cf14fe64d7a8c303", "type": "query", - "version": 212 + "version": 213 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", "sha256": "87db461459ea0a1c445b59dfa9d8e7368c2afc905f30243a589b82af51f8515d", "type": "eql", - "version": 211 + "version": 212 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", "sha256": "e402572e5dc8c2c7305905227898b75e4d1a151ec425b3c8b433e5816cd325d4", "type": "eql", - "version": 112 + "version": 113 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", "sha256": "a41c9b731116a7c1e1a6c3aa9f43347ea30abb1eea8076c45c74804e6b07a048", "type": "query", - "version": 109 + "version": 110 }, "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": { "rule_name": "Windows Sandbox with Sensitive Configuration", "sha256": "cb4b6f0adb8773383e682fe16570cbca4179d222ed197d04b3d89fa29926d486", "type": "eql", - "version": 4 + "version": 5 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", "sha256": "3a6e599f9d4af81d7cd9eabc89715d727103b98f4323896df81d7d3cc2fe6f74", "type": "query", - "version": 318 + "version": 319 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", "sha256": "98a1bb00cc5109dfee42a633f855fff9346d0648551bebc3d0863b1561b49aa2", "type": "new_terms", - "version": 109 + "version": 110 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "5df33e1e630173c386e4532fe8fccafa945c531cdaad3bf9f65a20605287464b", "type": "query", - "version": 111 + "version": 112 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", @@ -4560,55 +4579,55 @@ "rule_name": "AWS Credentials Searched For Inside A Container", "sha256": "b09e2c974cc1d80c0c75f3799dc517a1ba657bb18f02243743e329247980db61", "type": "eql", - "version": 4 + "version": 5 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", "sha256": "5c5ee438716479240dd176d2f4b269ac7093f03e6ceffde51b86912f8b8d4ee2", "type": "query", - "version": 214 + "version": 215 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "4944bbed621deeb513b94814d78fab8b15895a6fbf5a4b3c12e69c50f5a82be6", "type": "eql", - "version": 109 + "version": 110 }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "rule_name": "DNS Global Query Block List Modified or Disabled", "sha256": "971eb40543306c60de5695b0c5c5323b2de381b23f1e442ce30cb39d29eb2c97", "type": "eql", - "version": 211 + "version": 212 }, "57e118c1-19eb-4c20-93a6-8a6c30a5b48b": { "rule_name": "Remote GitHub Actions Runner Registration", "sha256": "8da226b40be571223b8382299f5497f08742a417a0afe756e9005488a6a3604a", "type": "eql", - "version": 3 + "version": 4 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Backup Deletion with Wbadmin", "sha256": "ab7e97c915d3a23943a57f5610efdbf9dfa1c8b60f4a82155800f5eb754553dc", "type": "eql", - "version": 320 + "version": 321 }, "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": { "rule_name": "Unusual Web Config File Access", "sha256": "d0e52d0a9d67db8bc963869c1db6a15171b3f593e995b5a08bc6bde2194de611", "type": "new_terms", - "version": 4 + "version": 5 }, "5889760c-9858-4b4b-879c-e299df493295": { "rule_name": "Potential Okta Brute Force (Multi-Source)", "sha256": "cdac32489551a612c6bdd1002c5f9beb3f39e4e418574f5d004a7307b21e02c3", "type": "esql", - "version": 3 + "version": 4 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", "sha256": "80ca9aa2214417366e41ffd82cd9a7232496f7791e47f1fe0b600d0b8425bf40", "type": "eql", - "version": 317 + "version": 318 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -4620,37 +4639,37 @@ "rule_name": "Potential Lateral Tool Transfer via SMB Share", "sha256": "ac7bf2a46ba5a70e8f7adf24b3dff91fc99d215a6ead840ce7f034f27e013106", "type": "eql", - "version": 113 + "version": 114 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", "sha256": "4d86cd35f177a472f2469c620376892ff2965ae63188678ced96c35b2bfa11b3", "type": "eql", - "version": 116 + "version": 117 }, "590fc62d-7386-4c75-92b0-af4517018da1": { "rule_name": "Unusual Process Modifying GenAI Configuration File", "sha256": "4c8318ca5f58fb1f5df70040197b63e88f8b5f390e666cc85e3eac0c39129222", "type": "new_terms", - "version": 6 + "version": 7 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", "sha256": "7742b4d700c05a6edae94904b1648746b5b85845c114eb60cbfc8fb84972171f", "type": "eql", - "version": 7 + "version": 8 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish", "sha256": "52f073fe724020db891045530704a08c294fa95ee10247f3232467f93bd3fb85", "type": "query", - "version": 213 + "version": 214 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", "sha256": "820bd96ddd179512b9d5a0163bb9f14bab4331cc45be72aa7718ebace53c28c0", "type": "query", - "version": 214 + "version": 215 }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "9.4", @@ -4666,127 +4685,127 @@ "rule_name": "Unusual Linux User Discovery Activity", "sha256": "60849ad13847f09c4d9a8563601b9291916f289bea439f511a4171ec4a013351", "type": "machine_learning", - "version": 208 + "version": 209 }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", "sha256": "4ee4a4ce4a9ac868a787a8fcadc3d1b7655e2840e1b76969a14ac4571928d40a", "type": "new_terms", - "version": 9 + "version": 10 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "rule_name": "IPv4/IPv6 Forwarding Activity", "sha256": "d9cf4c038f53b5ebd1c30a304fb8870d6145d0785926200cf0374842c84220ff", "type": "eql", - "version": 108 + "version": 109 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "1f54949694e1a11f3a6cfb3b63ee8e578f5bf33cdb23bf40ea319d20845ff3d0", "type": "eql", - "version": 314 + "version": 315 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", "sha256": "c5e601c37a1f317b85f5d0a30462e149c962b83d62e9b3655509a65b1a4668d1", "type": "eql", - "version": 14 + "version": 15 }, "5a876e0d-d39a-49b9-8ad8-19c9b622203b": { "rule_name": "Command Line Obfuscation via Whitespace Padding", - "sha256": "1bf4f552f7599807a7e15afba35b168d0ca331e3b70e945506eb527d1e088934", + "sha256": "4f8678e1a8482e9d680fbd05a4eb152a92d5e62b859d7d636ef207ace9a4c2a5", "type": "esql", - "version": 4 + "version": 6 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", "sha256": "3570dec854c263de8cdebc1855ebfe5f7ab4526fc849b9e3a925eca865cdb5c7", "type": "eql", - "version": 6 + "version": 7 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "rule_name": "Potential Chroot Container Escape via Mount", "sha256": "8e98b708a9211e5d0ebef862842c54d085108d51b98842c091c5b26228dfa6ee", "type": "eql", - "version": 108 + "version": 109 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "633d6227e7b67c05c46dd509f2cd8d07f37e29fa580d76f692df49fea3e78ff7", "type": "eql", - "version": 111 + "version": 112 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "2cfbca1b129860895636735b8d15df004c74a582e3be5fc79d043ee9eb08bd50", "type": "eql", - "version": 314 + "version": 315 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", "sha256": "d3606ed659895f8c1cfdbff613629c196b862c209892b801f1b8370aaaf4277d", "type": "eql", - "version": 114 + "version": 115 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", "sha256": "600013f59808acf8e3fbcb916efe820a124db6b8d3605bf5fe031d1b729b358d", "type": "eql", - "version": 11 + "version": 12 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "rule_name": "Suspicious which Enumeration", "sha256": "dfef9c7a379453c311f0bfab1d39e33e823cd53ca0d1401b0c395667b781beb7", "type": "eql", - "version": 112 + "version": 113 }, "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": { "rule_name": "Successful SSH Authentication from Unusual User", "sha256": "7be56f4b8d28507b68d83d793cca3e982deab0387b8e00b6117aafe109cb2bc3", "type": "new_terms", - "version": 5 + "version": 6 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", "sha256": "4556a2b4d9ae5c0709537287d7c352c49fd07266ec3e249028df8c684d8e7bf2", "type": "eql", - "version": 9 + "version": 10 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation", "sha256": "8a47a48d97d6455444a465225652850ef188dd562e9f8c43f6fc8781a717f891", "type": "new_terms", - "version": 323 + "version": 324 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "rule_name": "Boot File Copy", "sha256": "9631f14860402dcf2e73a1613d08cf82bef87f7b793098b03b5ececfe9236c85", "type": "eql", - "version": 5 + "version": 6 }, "5bdad1d5-5001-4a13-ae99-fa8619500f1a": { "rule_name": "Base64 Decoded Payload Piped to Interpreter", "sha256": "027fc040e1e9e549efb1038c541a0965a6a625c7cfa7ac595dfc9747ffca5b09", "type": "eql", - "version": 7 + "version": 8 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "7e201a9f630b65ea3703f55383653c8c701324ea8334853c13efb45ddd45bb79", "type": "query", - "version": 212 + "version": 213 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", "sha256": "958cb09fe0453597f345b91d73f1f8cf88e769e76285da2a9029817841f976b0", "type": "eql", - "version": 9 + "version": 10 }, "5c495612-9992-49a7-afe3-0f647671fb60": { "rule_name": "Successful SSH Authentication from Unusual IP Address", "sha256": "1131f0ba1299b1673272bd63bc99e020893f13a54959cc573c19f06e3c6d27c0", "type": "new_terms", - "version": 5 + "version": 6 }, "5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", @@ -4798,31 +4817,31 @@ "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "4ab3780669514a3c38d185828e425d62f8005baf7e564cfe108f7922d0d02d72", "type": "query", - "version": 108 + "version": 109 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "rule_name": "First Time Seen Account Performing DCSync", "sha256": "6efcf236f3f9c9963fb10ebd45d9b9de86581067dc5b3515bab1cdc720278271", "type": "new_terms", - "version": 119 + "version": 120 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", "sha256": "6ae08cb11476bde01a0bc5e23c18dbeb3c64c7f9f56cadc416776d004a3f3938", "type": "query", - "version": 4 + "version": 5 }, "5c832156-5785-4c9c-a2e7-0d80d2ba3daa": { "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", "sha256": "f60eb9f78e9b31ecc263168312144052efe7d3d67430d9e8e4bc68396f433f20", "type": "eql", - "version": 106 + "version": 107 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", "sha256": "499e822266c7a93e65eed7dd53f2d4762b9ede773ae711da386d2dd215831704", "type": "eql", - "version": 12 + "version": 13 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "9.4", @@ -4838,86 +4857,86 @@ "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "e6d2c1bb66e9d94d5a0fc9e25fe3d8dd9a75eb35f100ed631a3df105e5748711", "type": "machine_learning", - "version": 207 + "version": 208 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "rule_name": "Potential Defense Evasion via PRoot", "sha256": "e1ae2e1cbed489a77754e6fab8a50f37f6de818e6fa2ca20d8096664e8add36c", "type": "eql", - "version": 112 + "version": 113 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "26553adf03310ab42539ce968440da4d62fc1fd18788e3d2f13aab321c9255db", "type": "eql", - "version": 215 + "version": 216 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", "sha256": "f804eba2756db8092e43ff3affebdb403dbdc631098bebd3cdaf6ba3829b043e", "type": "eql", - "version": 217 + "version": 218 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "rule_name": "Persistence via PowerShell profile", "sha256": "bc50204842263093d6d6ad331922bf865f62b4a06b43ef3f9321955c32ad22ea", "type": "eql", - "version": 215 + "version": 216 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", "sha256": "e818c9edc963124f3fe4b690ac99f23981b4899d2ec0bbbffbb93c5590b8756b", "type": "eql", - "version": 112 + "version": 113 }, "5d1c962d-5d2a-48d4-bdcf-e980e3914947": { "min_stack_version": "9.3", "rule_name": "Forbidden Direct Interactive Kubernetes API Request", "sha256": "d27959c1650287e616fb7b235e828792e56a049f59244ffc1d56ad66b4b99d32", "type": "eql", - "version": 3 + "version": 4 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "c06d312788de6b526b2eda5008ba2de688020524b0142b2a077d564b7141a2e8", "type": "eql", - "version": 216 + "version": 217 }, "5d676480-9655-4507-adc6-4eec311efff8": { "rule_name": "Unsigned DLL loaded by DNS Service", "sha256": "ce96526f1173cee77a4a1a49988e5b43cac66b19bc7f0e268d904961da06ddc3", "type": "eql", - "version": 108 + "version": 109 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", "sha256": "7a9ce14eef48ed766c137dbe638528f60bbfd889852e3b0e0251ed30b6ed4b98", "type": "eql", - "version": 112 + "version": 113 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "048a359ddaed92e5d025d84b05ee14e0aeb65e3c2f980eefac7cd3196a48085b", "type": "query", - "version": 111 + "version": 112 }, "5e23495f-09e2-4484-8235-bdb150d698c9": { "rule_name": "Potential CVE-2025-33053 Exploitation", "sha256": "2b8137ee0622fa13bc6ca0d3bfa15b56f7274e8b11ddf245d4adb0d4dcc22a53", "type": "eql", - "version": 4 + "version": 5 }, "5e4023e7-6357-4061-ae1c-9df33e78c674": { "rule_name": "Memory Swap Modification", "sha256": "84ab5ac7a9d4da0254311ffb718735490af81e6cb6c191ead1f08277e7a520e9", "type": "eql", - "version": 108 + "version": 109 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Deprecated - M365 Teams Guest Access Enabled", "sha256": "266a162de1fb161531696272816f4b94596b9e60e70a673859f3162efb4333e6", "type": "query", - "version": 214 + "version": 215 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -4939,109 +4958,109 @@ "rule_name": "Unusual Process Detected for Privileged Commands by a User", "sha256": "5ec3183a9be36f68aded429224d36cce68ddfb8a955fcc82adb868c3880f0b8c", "type": "machine_learning", - "version": 104 + "version": 105 }, "5f0234fd-7f21-42af-8391-511d5fd11d5c": { "rule_name": "AWS S3 Bucket Enumeration or Brute Force", "sha256": "b03598902c032a90bd8c08caf8f74055975dd2b075bd845d15f0d4093459f506", "type": "threshold", - "version": 9 + "version": 10 }, "5f0fff18-f340-444b-9a98-c49ade766ff4": { "rule_name": "Kubernetes and Cloud Credential Path Access via Process Arguments", "sha256": "04635b1ebb2304ae1b43367de6032f6441c7f291dbc720cecb740ef3c2560809", "type": "query", - "version": 1 + "version": 2 }, "5f2f463e-6997-478c-8405-fb41cc283281": { "rule_name": "Potential File Download via a Headless Browser", "sha256": "243733569b61c9258414f81794aa80af97b0ce2a578f54cb1fc3eb3b6ffc5deb", "type": "eql", - "version": 209 + "version": 210 }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Potential Docker Escape via Nsenter", "sha256": "9b1fac0383ed7d24fc3004e580cec7bd3f701dee9659155fe2a61132c4c6280e", "type": "eql", - "version": 5 + "version": 6 }, "5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": { "rule_name": "NetSupport Manager Execution from an Unusual Path", "sha256": "f49bf2a2ea1c32cc3ab338dd4e8f8b582091b3afe242ad98d6e048aed2256252", "type": "eql", - "version": 3 + "version": 4 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Compute VM Command Executed", "sha256": "8adae74085d1b365f947e33813e55390fedd6e9a18b0a155e3bc3ca16f8b6bb3", "type": "query", - "version": 108 + "version": 109 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Entra ID Service Principal Created", "sha256": "53b3bb3ed81272c5cd748118879a25c793a01b0a8bad0cf6cf57a42745b3ba2b", "type": "query", - "version": 110 + "version": 111 }, "60c814fc-7d06-11f0-b326-f661ea17fbcd": { "rule_name": "M365 Threat Intelligence Signal", "sha256": "c39e4b442c100c558bad0866d26a3af772db700ab66c684e39f81c52511c464e", "type": "query", - "version": 4 + "version": 5 }, "60da1bd7-c0b9-4ba2-b487-50a672274c04": { "rule_name": "Discovery Command Output Written to Suspicious File", "sha256": "272a08b491e9e0ed926f59f6e233f7e3a98e77d56dc61ce20e65ccc863a87d4e", "type": "eql", - "version": 2 + "version": 3 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Deprecated - M365 Exchange DLP Policy Deleted", "sha256": "b61525284954c4fc0497d4722706527fd82f0c909a0d9d5d8436eb4eb64c73eb", "type": "query", - "version": 214 + "version": 215 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", "sha256": "20c0a63a1c617c1d92a564858fc23ec78f1cd2737c5ea492135d8d6d73d6cf20", "type": "eql", - "version": 213 + "version": 214 }, "61336fe6-c043-4743-ab6e-41292f439603": { "rule_name": "New User Added To GitHub Organization", "sha256": "20989b28438ebb27b577cc7e27b4a8fddb5f0e786199089dbf791275399a39f7", "type": "eql", - "version": 207 + "version": 208 }, "616b8d00-05f8-11f1-8f33-f661ea17fbce": { "rule_name": "Entra ID Service Principal Federated Credential Authentication by Unusual Client", "sha256": "b8a0677840e2ac54c009dfc71b670853c992e15ab05a71bbbeed68c4b46d35e3", "type": "new_terms", - "version": 3 + "version": 4 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "rule_name": "Interactive Logon by an Unusual Process", "sha256": "2a25d4c5aad531f8baec6e0f8a8a24a0fd3f1244408d9bddbf8d27fd796a2cd9", "type": "eql", - "version": 109 + "version": 110 }, "618a219d-a363-4ab1-ba30-870d7c22facd": { "rule_name": "FortiGate FortiCloud SSO Login from Unusual Source", "sha256": "1633c7aa0014d0a78d937ad7c074f29e3aae5b3ddaf38ce799a5141b9cdebaec", "type": "esql", - "version": 4 + "version": 5 }, "618bb351-00f0-467b-8956-8cace8b81f07": { "rule_name": "AWS S3 Bucket Policy Added to Allow Public Access", "sha256": "3add80c1e8b09bdfcf8f584070eca230034c9b21f79833ba3fe4693e6f61f11c", "type": "eql", - "version": 3 + "version": 4 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "be24ceae2afa9baef47813fd03666ea34a8f4036452bf224e709f3f059656acb", "type": "query", - "version": 320 + "version": 321 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -5053,31 +5072,31 @@ "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "898d586695a755ed54cf089cb8a62fce3c122615f91824a319f0bc896b29a1fc", "type": "eql", - "version": 219 + "version": 220 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "e0477a60892cad9da6b82baf80a54de4df04b8f72415f9f443b405c02849bc35", "type": "threshold", - "version": 211 + "version": 212 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "277bd1c15f356f6fe781c3b6e303d8cc742ef862f2dfbee02ad935fe105a085b", "type": "eql", - "version": 212 + "version": 213 }, "627374ab-7080-4e4d-8316-bef1122444af": { "rule_name": "Private Key Searching Activity", "sha256": "79f110a532df654130e63c8b81f83d83d968d2789069f0c82d5fc5cd50e602da", "type": "eql", - "version": 107 + "version": 108 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "rule_name": "Account Configured with Never-Expiring Password", "sha256": "9b330c0df477e18fc4f7752d72e5b9bd2518f96989dc84c247943246459ff92c", "type": "eql", - "version": 217 + "version": 218 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection", @@ -5089,73 +5108,73 @@ "rule_name": "Persistence via Suspicious Launch Agent or Launch Daemon", "sha256": "e96f8422546d427d174b67e32e22f9f294338e62a32b312144be86d8f54cbf31", "type": "eql", - "version": 1 + "version": 2 }, "63153282-12da-415f-bad8-c60c9b36cbe3": { "rule_name": "Process Backgrounded by Unusual Parent", "sha256": "030fd3f59aba85e33e9013260fe60ecd2b7e4e805aece285791cb170737d59d9", "type": "new_terms", - "version": 5 + "version": 6 }, "632906c6-ba8f-44c0-8386-ec0bbc8518bf": { "rule_name": "M365 SharePoint Site Sharing Policy Weakened", - "sha256": "df946fcbb376eb3a51b2e8299075494cccd95d5229b4b956537d4f162ce80731", + "sha256": "76bf9d181f4bf2c94377009c32dae09ae0ad9eab96bbc371a6e0972cd061b909", "type": "query", - "version": 3 + "version": 5 }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by Suspicious SSHD Child Process", "sha256": "3b0351c806161fe08412397624b92f4f969afffbb96b21e055a0631d33614a4f", "type": "eql", - "version": 9 + "version": 10 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", "sha256": "e6322acdcf8bfdea43c886c81f1d74c7982802542e500006806f52c422a951b3", "type": "query", - "version": 12 + "version": 13 }, "63c056a0-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent", "sha256": "7de86c2aa0f76814053d0f5818bc392c8c2e59db281f8891357f87d0057dfc26", "type": "new_terms", - "version": 12 + "version": 13 }, "63c057cc-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent", "sha256": "298014d2796245f46bde784ce5a8c9a9bd75184e6d80bab634ae84b03fa3710c", "type": "new_terms", - "version": 13 + "version": 14 }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", "sha256": "4fba1a906dc24aa562d7f26cec26c9dcda0607ed266e8b587cfddf5a6f683d29", "type": "eql", - "version": 7 + "version": 8 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", "sha256": "ba4096f48f3a66bf6278a94d26beb5dd78a438641db6fc511bf73d79bbe9986d", "type": "eql", - "version": 213 + "version": 214 }, "640f0535-f784-4010-b999-39db99d2daeb": { "rule_name": "Potential Git CVE-2025-48384 Exploitation", "sha256": "96a8f21a03b2eacdcb3c26f34ea7073e5fb7b7804eab2e552278f4b9a8524d75", "type": "eql", - "version": 2 + "version": 3 }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation", "sha256": "a3ad27a4e1aba1d93a8fcff149f1e5ae7d0563416aa19c3e8221f2661ddface0", "type": "eql", - "version": 9 + "version": 10 }, "642ce354-4252-4d43-80c9-6603f16571c1": { "rule_name": "System Public IP Discovery via DNS Query", "sha256": "bef682517bba6454fba3806195c56aa37a003760553409c96e4ac565bcbe7b7e", "type": "eql", - "version": 4 + "version": 5 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "9.4", @@ -5171,31 +5190,31 @@ "rule_name": "Anomalous Process For a Linux Population", "sha256": "cfbfe676b63f196bd4399206148f3a8920d108155f2abfa3c4bf59600cb422e0", "type": "machine_learning", - "version": 207 + "version": 208 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", "sha256": "c6de97f12a7345d14030b631a6baa062804944e85c22ece163742abc536d4b59", "type": "eql", - "version": 112 + "version": 113 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", "sha256": "7a4ee8a9aed27286d48b832645557e5b2b3be000c4b6d33e49f64977508ff9da", "type": "eql", - "version": 12 + "version": 13 }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", "sha256": "db724e0530dad97417c3737f077e737a1dfdf44b5ae1d4621f68d2fba0a4c75d", "type": "esql", - "version": 12 + "version": 13 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", "sha256": "cc3d4c8b00317668d507150f4b0441132efe96a271f0e24182e1cf439f2bb036", "type": "eql", - "version": 4 + "version": 5 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -5207,68 +5226,68 @@ "rule_name": "MsiExec Service Child Process With Network Connection", "sha256": "d8cda461562a61f7ce64ed7629a070991b408f4432d740fc350a331768e162f6", "type": "eql", - "version": 206 + "version": 207 }, "65613f5e-0d48-4b55-ad61-2fb9567cb1ad": { "rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments", "sha256": "0d9923c694d6f9e84a63f6978e5c542e08285a98fca12980503e9b9e6e4e7909", "type": "new_terms", - "version": 5 + "version": 6 }, "656739a8-2786-402b-8ee1-22e0762b63ba": { "rule_name": "Unusual Execution from Kernel Thread (kthreadd) Parent", "sha256": "b755ed320d3960e63c0cc92dbb2de8e1a6292117110a7f2412799824e5118874", "type": "new_terms", - "version": 4 + "version": 5 }, "65f28c4d-cfc8-4847-9cca-f2fb1e319151": { "rule_name": "Unusual Web Server Command Execution", "sha256": "3d0ea0342f221d21119aee57a595095918d0fd86ad7f58cee311309b90fd0800", "type": "new_terms", - "version": 3 + "version": 4 }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", "sha256": "b25056edc655b86fef84b34e0ac3641910735b515a07aedaa5f68db48b4f6937", "type": "query", - "version": 209 + "version": 210 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", "sha256": "7596d477c75194501eab55a1d56dbc23f408e9b52f0d6e9477fa3caf989cd8e1", "type": "eql", - "version": 112 + "version": 113 }, "66229f32-c460-410d-bc37-4b32322cd4bb": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Read Detected via Defend for Containers", "sha256": "42652c071cbc82b5d5b670ff8b27255c0e0da12b974caa887303d2f29b94ed4f", "type": "eql", - "version": 3 + "version": 4 }, "6631a759-4559-4c33-a392-13f146c8bcc4": { "rule_name": "Potential Spike in Web Server Error Logs", - "sha256": "e61b3bdfbbae99ac498171b194cea724b8e328dca23b9288ceda1d39ac1355d0", + "sha256": "b082f83d649d990b2719c8e46afbbbcf304481131b23472dd3d3b9257a6efbc4", "type": "esql", - "version": 4 + "version": 6 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", "sha256": "a7ac6a2e16d97312a1f7e3689e445d816e61c1b2556bd4fc7d7a784553b57be0", "type": "eql", - "version": 12 + "version": 13 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "c8b7ed1cedb954e68d572f77deae21770e0c4204727df0625f6c6f1e66411a6b", "type": "new_terms", - "version": 210 + "version": 211 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "rule_name": "WebServer Access Logs Deleted", "sha256": "46b302e1052795242c5c6996364c7327c196bff092c53ab16033cb472970e7a3", "type": "eql", - "version": 211 + "version": 212 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected", @@ -5280,49 +5299,49 @@ "rule_name": "Connection to Commonly Abused Web Services", "sha256": "04483092ea7111ceb52a82ec96688eb7a5720d3ed3caf36c7e6e078b4713255c", "type": "eql", - "version": 131 + "version": 132 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", "sha256": "766af4a5b4b8dee8f8ef9498c1f216ad14f6f4755a93fd323998698d1ea1eb05", "type": "eql", - "version": 108 + "version": 109 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "d28d8e99ade43dc293d5e70aad016fc90f10ddea11625285e1adadf2fbd75457", "type": "eql", - "version": 213 + "version": 214 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "a70d87036505f114e41a399e3573e388e43a05046ff89eea597353a7778de895", "type": "query", - "version": 120 + "version": 121 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", "sha256": "f71ab483864d71a48cf0507edbbd3dff6d995b6508879227e0b7e250970c8097", "type": "query", - "version": 415 + "version": 416 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "M365 Exchange Mailbox Audit Logging Bypass Added", "sha256": "9e19b7471a462cb1508940d24058f3413af1a9726f051383aea06f04e4d56d76", "type": "query", - "version": 213 + "version": 214 }, "6756ee27-9152-479b-9b73-54b5bbda301c": { "rule_name": "Rare Connection to WebDAV Target", - "sha256": "92dc23143cbc051ac463e1539ef050749a186cdfe3109f3ac86c9460ddd6f70b", + "sha256": "f80cef785da616c90f873bd095a5ccb06bceb99db19e6f824838be0b7a98c066", "type": "esql", - "version": 8 + "version": 10 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", "sha256": "e6ecd90c1ffa19eca2a67af1b6c71e975b28190e2c7f1f5c14e41903155bbe1b", "type": "query", - "version": 414 + "version": 415 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -5334,7 +5353,7 @@ "rule_name": "High Number of Process Terminations", "sha256": "d4b68db35dd8a14409e6834fd97cc1e2a3b99967615f1f2270ae10e6d04dc2b3", "type": "threshold", - "version": 118 + "version": 119 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -5346,85 +5365,85 @@ "rule_name": "Image File Execution Options Injection", "sha256": "4abbdf2842ee1bcb6bdcb3f3b63039758c8b7295afb207b98f0304bc9077d56b", "type": "eql", - "version": 315 + "version": 316 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "M365 Exchange Federated Domain Created or Modified", "sha256": "ff4eb2e457d5e3ebe7454a8eb3478eb11c7a177531c3ddd4ab3336c25709cc38", "type": "query", - "version": 214 + "version": 215 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "944fb024ccefc8bb13bca9d85069633c0bd5b285d5b4e1fc8045e2bc1b44d5b1", "type": "query", - "version": 413 + "version": 414 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "9beba421bcfa504de24c2c44258d0fef5a2d5ba3711c7cc49e6b76ee0e0fdecb", "type": "eql", - "version": 318 + "version": 319 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "beb7c099e4c87d3147444605e39e6fb2a85af130454c62d43ae6eba5307ce395", "type": "query", - "version": 211 + "version": 212 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "f7eb5ecf08a0a74de530a080fd2441011bc3c38249a554220b2e2d15494fb386", "type": "eql", - "version": 212 + "version": 213 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "ca809a6bd6c5e473da5a47132318262a0953bf2a6bf09e1a3bcf772bcdea2d77", "type": "query", - "version": 215 + "version": 216 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "f279475dc730bc14f2dfd1ac9bc7084af731d369aaac73cf5fc818804da8e062", "type": "eql", - "version": 110 + "version": 111 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", "sha256": "ad69aa058d530466a81bf883cda42a241f9ad8a415e5291d1aea004a51787720", "type": "query", - "version": 3 + "version": 4 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "c65e804191ff9e8784d38dcbad208bc9015d005343b4073fa0671575a942d4fb", "type": "eql", - "version": 215 + "version": 216 }, "68e90a9b-0eab-425e-be3b-902b0cd1fe9c": { "rule_name": "Suspicious Path Mounted", "sha256": "c0ba7548cc496aae440498c2f64657c17215d4d8c1fc31821b516a0e55804eb3", "type": "eql", - "version": 3 + "version": 4 }, "6926b708-7964-425f-bed8-6e006379df08": { "rule_name": "FortiGate SOCKS Traffic from an Unusual Process", "sha256": "d649b848c5586e36017ccecc790367c99ca06795b3a429e69b524a3653d2bd55", "type": "eql", - "version": 3 + "version": 4 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "sha256": "746b43837e7ae358433e6c7a94c73a422528fb56a1902ab5a8be4999867587d0", "type": "query", - "version": 113 + "version": 114 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "rule_name": "AWS IAM User Created Access Keys For Another User", "sha256": "a9bc6c80faa8050ae1541d7eee9897b8fbdb2612cca00069af0033e33a4817b1", "type": "esql", - "version": 13 + "version": 14 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -5436,79 +5455,79 @@ "rule_name": "Suspicious rc.local Error Message", "sha256": "9454ca1b21ce6bfe21d078e24b4f7889fa8857ff6d3aee43af4c4ffae0519891", "type": "query", - "version": 8 + "version": 9 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", "sha256": "afc10ab90f42c4075c81973e33977dfced66e7b5da2b5a85c40e181edfa63058", "type": "eql", - "version": 316 + "version": 317 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS Sign-In Root Password Recovery Requested", "sha256": "7b5ac4f195b8c0bbcc320b3d13f89fa4e87ebc1dda5d046a05b109076ae52048", "type": "query", - "version": 213 + "version": 214 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { "rule_name": "Attempt to Disable Auditd Service", "sha256": "b5bf8c334323c23629142910af291aa50391c82eed1b8a9f7c51e8d40d09d95d", "type": "eql", - "version": 106 + "version": 107 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "AWS EC2 AMI Shared with Another Account", "sha256": "38688952422703a3d3b321bdf3df09ef1d9a20fe5477a4b7a6bead6e6c13dcd7", "type": "query", - "version": 7 + "version": 8 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "f7c6d6964c3063f4a75d0ad2dd294083ed44eb61f6393e97482687d8b587d708", "type": "eql", - "version": 315 + "version": 316 }, "6aa52f86-18f1-4a5a-a0ac-e2b5db8af589": { "rule_name": "Potential Direct Kubelet Access via Process Arguments", "sha256": "a480ab08bb68a023f154a81f536831c446fe45a8dd9c246b4a34c4b93b247cee", "type": "eql", - "version": 1 + "version": 2 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "0e421040f2de589edbc8b55db8ee6a3865f670eccc1b4c5e9cc39c27d5b2e377", "type": "eql", - "version": 423 + "version": 424 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", "sha256": "59a05181f1febc098b481acbd5cbd5725a57456d619a875909a207d3929c2b9c", "type": "eql", - "version": 113 + "version": 114 }, "6b341d03-1d63-41ac-841a-2009c86959ca": { "rule_name": "Potential Port Scanning Activity from Compromised Host", - "sha256": "e113a73efc518c41b6df6bd67190ab672c30b13dbda77e7e3445ed9d8e54c13f", + "sha256": "a4aaa9d6a5944e7bb4d4c2a5c13debc65b09498364ee5686a268ca9e8e0bf614", "type": "esql", - "version": 12 + "version": 14 }, "6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": { "rule_name": "Suspicious Curl to Google App Script Endpoint", "sha256": "25885ed63993320aa591be8ec7247e8cc1829c062e58638919cafebcf46b1d04", "type": "eql", - "version": 2 + "version": 3 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", "sha256": "114363c64adeb62c874af776f1d85c2e2b724262ed90f24a9d2862a2e5889496", "type": "new_terms", - "version": 215 + "version": 216 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "a1618bf40a3d1b476d391bef6a7af40d100c0da42d801e1e12dcdd09bf86fe7e", "type": "eql", - "version": 215 + "version": 216 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { "min_stack_version": "9.3", @@ -5524,25 +5543,25 @@ "rule_name": "Container Management Utility Execution Detected via Defend for Containers", "sha256": "914c8911ec926b779845b78a8a67ea55b68742b53eeed37aeece8e781654f707", "type": "eql", - "version": 105 + "version": 106 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "413515468916ea9977f82c881044a80545cce0cb54435a0b57493530e91809a5", "type": "eql", - "version": 314 + "version": 315 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "rule_name": "GitHub Repo Created", "sha256": "53e7e459aac5ef6a3b6aa399a0afefb7b4ec4727ffc73d731a6b4344b0b83431", "type": "eql", - "version": 207 + "version": 208 }, "6cf17149-a8e3-44ec-9ec9-fdc8535547a1": { "rule_name": "Suspicious Outlook Child Process", "sha256": "24294021daf4daac36d25201ce441fdef000f6859d77838c88d1b4c620d1c902", "type": "eql", - "version": 5 + "version": 6 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "9.4", @@ -5558,43 +5577,43 @@ "rule_name": "Unusual Process For a Windows Host", "sha256": "9342a3ec46ad8d944851a0ed0e81e1916668c1c67eb353a745fdabb4ddd0d70e", "type": "machine_learning", - "version": 316 + "version": 317 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", "sha256": "52515d5e9039aa01279cbaea65ab4da9d7718f306506f0a16edabfcb918a1a7d", "type": "eql", - "version": 9 + "version": 10 }, "6da6f80f-fe41-4814-8010-453e6164bd40": { "rule_name": "Suspicious Curl from macOS Application", "sha256": "3b2cab38c63f83f8b75a1a46cc2952021ecb6c26c6c258ef2158796eb2b26a89", "type": "eql", - "version": 2 + "version": 3 }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", "sha256": "eff0f62ddd3e0af974bfb14ab0530dd3f3a2a50d19bb8323fca26a786c9f7542", "type": "esql", - "version": 12 + "version": 13 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", "sha256": "0f941a4eec0eae5e8eafaea7a2a635dfc143067d98587953b98d26e0c1e891cd", "type": "eql", - "version": 106 + "version": 107 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "rule_name": "First Time Seen Remote Monitoring and Management Tool", "sha256": "9ec7d753b697c54652c65201dc1dcd09e6fdc59686ea6113b73fc595265689fb", "type": "new_terms", - "version": 117 + "version": 118 }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", "sha256": "dfa88fafc1898a28d3c0b60e028940c7c8bf94c78ffec613d0a7fb9d99618482", "type": "eql", - "version": 6 + "version": 7 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "9.4", @@ -5610,31 +5629,31 @@ "rule_name": "Anomalous Process For a Windows Population", "sha256": "1e7c0617e681eb446d4f478862986e4d1a36fd313f0832c4b7a9a09033adb6d9", "type": "machine_learning", - "version": 311 + "version": 312 }, "6e4f6446-67ca-11f0-a148-f661ea17fbcd": { "rule_name": "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)", "sha256": "305c77756be1aa3ebef6c4519ccf07b2c84119e59377b3bba5a957090f6843c9", "type": "query", - "version": 1 + "version": 2 }, "6e5189c4-d3a5-4114-8cb3-bd3a65713f19": { "rule_name": "System and Network Configuration Check", "sha256": "362706edae4c15e704ffd619c77917cdbb538f4a44606d6f6c6632301bb6750c", "type": "eql", - "version": 2 + "version": 3 }, "6e6376c1-a71e-4789-a795-198b05664064": { "rule_name": "Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)", "sha256": "b0d72fb2fdf17d7765df40825acc7844ad727d6e0a7e402becfcdd378c0eecb3", "type": "query", - "version": 1 + "version": 2 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", "sha256": "59abbe99101114f6fb8998854a935a04ab4c459d3c6720a4db458e53a01505be", "type": "query", - "version": 216 + "version": 217 }, "6e92a21a-58e7-449a-9cfd-9f563f59ac88": { "rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host", @@ -5646,19 +5665,19 @@ "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "ab4fc675056ec570e1d0fcee0b5dade33ef3d33131e6bf6d225cffcf9d59ab10", "type": "eql", - "version": 213 + "version": 214 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "4f362555c866031271f8abb08e9f19566d14cb22bd946bed7430bca32e1d9ca1", "type": "eql", - "version": 215 + "version": 216 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", "sha256": "1a271b28efc2579203a371e1810f70f4c164c9030910f0cc18297ec982ee80a5", "type": "eql", - "version": 217 + "version": 218 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -5670,19 +5689,19 @@ "rule_name": "Unusual Exim4 Child Process", "sha256": "7e0456ccada902df35ecfeda239bfbc50dfd31a0dc386834fb8f2ea91eb4039d", "type": "new_terms", - "version": 4 + "version": 5 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding", "sha256": "97da24e60bffad5b475a89da7cb4210ecec866dcac2b9017ae9bc655d0a947be", "type": "eql", - "version": 115 + "version": 116 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "rule_name": "Active Directory Group Modification by SYSTEM", "sha256": "76b7e15f05c16a73302c84e24542e26b21f45b57610fde617b93be59af49017c", "type": "eql", - "version": 108 + "version": 109 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -5694,13 +5713,13 @@ "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "87db5b1008a9782f6cdf83f6404d979b3324bcc547da1c4228118130307d4f8f", "type": "new_terms", - "version": 212 + "version": 213 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", "sha256": "50ac1ff7656d514815a0c4e4c39c449371e045968bc2d901f7d696b6bfaeceba", "type": "query", - "version": 210 + "version": 211 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", @@ -5712,13 +5731,13 @@ "rule_name": "Suspicious SeIncreaseBasePriorityPrivilege Use", "sha256": "1ed183a1e863a65ba89d88e5573fc1f3223f9eacb052a18d95f5ad248c7cba47", "type": "query", - "version": 3 + "version": 4 }, "6fa3abe3-9cd8-41de-951b-51ed8f710523": { "rule_name": "Web Server Potential Spike in Error Response Codes", - "sha256": "27e2f30dca9a09abd668da24cbc5efaf03c1466422e00b09ec2d3c29f085da0e", + "sha256": "b9f814d7930bd32fd38a539e24983d88ba3bdf7a40124d4c4894c0bca4ef3fba", "type": "esql", - "version": 5 + "version": 7 }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { "min_stack_version": "9.4", @@ -5734,139 +5753,139 @@ "rule_name": "Spike in Special Privilege Use Events", "sha256": "838b61827d24324be69e2a9674684812960a9c05f5a20d8913051d9a8ae60821", "type": "machine_learning", - "version": 104 + "version": 105 }, "6fcb4fe4-ac74-449d-855b-2bbd5c51c476": { "rule_name": "Multiple Vulnerabilities by Asset via Wiz", "sha256": "0610ae726a3381c2a47b8847eccbe0161250a1617583d4adc8aa5389802803bc", "type": "esql", - "version": 3 + "version": 4 }, "70089609-c41a-438e-b132-5b3b43c5fc07": { "rule_name": "Git Repository or File Download to Suspicious Directory", "sha256": "cbf5324511ebf3d256beb8dd0237adcb4d5d5057979ca6751efcf7a7e11f8152", "type": "eql", - "version": 4 + "version": 5 }, "7020ff25-76d7-4a7d-b95b-266cf27d70e8": { "rule_name": "Interactive Shell Launched via Unusual Parent Process in a Container", "sha256": "f71732f04d4bb9024781631a563a70bc613f39033a63805b0e4f5383ed9f5398", "type": "new_terms", - "version": 3 + "version": 4 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", "sha256": "ef329416e88fd93ee0e0517742245b288bd8c1cd49172672a51d8b93a6a83875", "type": "query", - "version": 216 + "version": 217 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Resource Deletion", "sha256": "3fa1996d6fb2e966a0696cc5971c64d5a29c229f00cf24cf2ef9fa58cc3f261e", "type": "query", - "version": 214 + "version": 215 }, "70558fd5-6448-4c65-804a-8567ce02c3a2": { "rule_name": "Google SecOps External Alerts", "sha256": "3875d92943fd3bd7e6de3c62cedde504db8217fbfd89d59c6a6e5afa159386d3", "type": "query", - "version": 1 + "version": 2 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "65980fe1ae4be0bcb253357e4e833ea08e6cf9acc68b212beaf62c43948c1e50", "type": "eql", - "version": 105 + "version": 106 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", "sha256": "cd2bb38a4e974ce084c49ac98d868aadf1d62999ccde4a722c6f7f8681bb55b5", "type": "eql", - "version": 114 + "version": 115 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "sha256": "eee78f93f7aeeb4b4f0ea1b35b303f8ee2141b44381b92e735a4e4cf30039209", "type": "eql", - "version": 111 + "version": 112 }, "713e0f5f-caf7-4dc2-88a7-3561f61f262a": { "rule_name": "AWS EC2 EBS Snapshot Access Removed", "sha256": "98bb1d28c3cc0f6c239a56a9034dfea2bebed6256e2716dcf375e509c4de8ebd", "type": "eql", - "version": 7 + "version": 8 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", "sha256": "f6ead63e1234253e25aea1bb53b931f40995439f8381bf0772392858405f8080", "type": "query", - "version": 12 + "version": 13 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", "sha256": "48698d164ee9ef1e5911162525352f757091d4171f69f61e66b484e3292a3312", "type": "new_terms", - "version": 215 + "version": 216 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "9b65d29fa4cc5f9c11bea2a136e01f88ea77400beade01ab8c4bd36dbed7bb4d", "type": "eql", - "version": 324 + "version": 325 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "7c65898dade61844fe46d042846acb9ef9efc5f9db5d01aa35cdffc5e0069b05", "type": "eql", - "version": 214 + "version": 215 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", "sha256": "6f10456533b056d27a062e3cd7f1b222441c8c716455684202ebbc452087ad19", "type": "eql", - "version": 8 + "version": 9 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", "sha256": "0d241c897dd9c807d936d644c16d714e96efa6b0d3a0742664dc6a58b71cc197", "type": "eql", - "version": 9 + "version": 10 }, "720fc1aa-e195-4a1d-81d8-04edfe5313ed": { "rule_name": "Elastic Security External Alerts", "sha256": "5378d1cf9cc62c93c87fca496cb3de399093caee93924ada0c9a7fc88cb0dfee", "type": "query", - "version": 2 + "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Deprecated - M365 Security Compliance Potential Ransomware Activity", "sha256": "d6f4b7bdab6bfe9124312ba384a8f64ac35e481f8ee848ed5a0e9ed15340afb2", "type": "query", - "version": 215 + "version": 216 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", - "sha256": "9a4a0b4c3a7765a9f5aa08a40f32fe99e81d8e88a0251547e6e9c333931bdc14", + "sha256": "f3a375efa9dad165b0ceee2708b1a82c91b5e018d88c7a9b2e3e9b92105cc17e", "type": "esql", - "version": 7 + "version": 9 }, "7290be75-2e10-49ec-b387-d4ed55b920ff": { "rule_name": "Suspicious Network Tool Launched Inside A Container", "sha256": "c2ba7bc1f82579e203cf13c0276ae7a02175109e13c3b84aa194fb79ac1745b3", "type": "eql", - "version": 4 + "version": 5 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "f4492ee7450c2a4666b4a18506e59ba9cb9d94cc04f8edbcd923c1dfd1580dd5", "type": "query", - "version": 415 + "version": 416 }, "72c91fc0-4ac0-11f0-811f-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Non-Managed Device", "sha256": "1813453768a993697cc1479da5b1308872b3f2f780e62c10476e0809dca043f7", "type": "new_terms", - "version": 3 + "version": 4 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -5890,56 +5909,62 @@ "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "1e8acd425801d27306a75395ad7553fa89218783a9d5978e7cc46f96b06ee580", "type": "eql", - "version": 210 + "version": 211 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", "sha256": "529e1dbda15b3376095352d027735777a2397abe273d5ddbb29f3d1bd7214944", "type": "eql", - "version": 7 + "version": 8 }, "73344d2d-9cfb-4daf-b3c5-1d40a8182b86": { "rule_name": "AWS API Activity from Uncommon S3 Client by Rare User", "sha256": "4613606a794054e2bcc448e1d406d42931e2fe1c4b16baf16da9c7202686428f", "type": "new_terms", - "version": 3 + "version": 4 }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", "sha256": "77e205ee183f6c0e0cde587784b03809024a7e9b5cc57a8f974dd2ce582aaaef", "type": "eql", - "version": 7 + "version": 8 }, "737626a2-4dca-4195-8ecd-68ef96fd1bad": { "min_stack_version": "9.3", "rule_name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers", "sha256": "eb5c59bba857613a7fb8d8110f1155d944972005c6f68ebc4ea9fec1a1a12df4", "type": "eql", - "version": 2 + "version": 3 }, "737b5532-cf2e-4d40-9209-d7aec9dd25d5": { "rule_name": "Potential PowerShell Obfuscated Script via High Entropy", "sha256": "5708605ae509a80e9e65f2dbe00db765afb07010b91d983c26301632cb269bf1", "type": "query", - "version": 3 + "version": 4 + }, + "73dd1f2c-3c24-4e13-a64b-dfd510e9fd98": { + "rule_name": "Cloud Instance Metadata Credential Path HTTP Request", + "sha256": "6d3abe8a47622302c534cb31973de874ecb522b58b11765981943efc51455150", + "type": "eql", + "version": 1 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "3dd383b6fe11d4426b88f4569f0a405f1405b9e6655ffe6108d3723e997d4a03", "type": "eql", - "version": 218 + "version": 219 }, "74147312-ba03-4bea-91d1-040d54c1e8c3": { "rule_name": "Microsoft Sentinel External Alerts", "sha256": "a34a03f8ae7aa0e2dd7e603598ea2a6ce21901318fe406e2e71b9bb9a42f8d8f", "type": "query", - "version": 1 + "version": 2 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", "sha256": "a9d6c1c782deeaef26911bdcca095460eb5de2281e53e7079c6db36ac880dd22", "type": "eql", - "version": 211 + "version": 212 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "9.4", @@ -5955,7 +5980,7 @@ "rule_name": "Unusual Hour for a User to Logon", "sha256": "ac721977de331da992d8c388a41ca573de3fa2661d93b6d29a41a90a9bc1d896", "type": "machine_learning", - "version": 207 + "version": 208 }, "746edc4c-c54c-49c6-97a1-651223819448": { "min_stack_version": "9.4", @@ -5971,13 +5996,13 @@ "rule_name": "Unusual DNS Activity", "sha256": "25d810e576a232cff1b05e8e1cafc5777193188de0f8be7a9f076a6512e89705", "type": "machine_learning", - "version": 208 + "version": 209 }, "74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61": { "rule_name": "Long Base64 Encoded Command via Scripting Interpreter", "sha256": "dd5b413bc795678ac76282ad2b90729974c94632a7d245e19db1783c66b64d64", "type": "esql", - "version": 1 + "version": 2 }, "74e5241e-c1a1-4e70-844e-84ee3d73eb7d": { "min_stack_version": "9.3", @@ -5993,14 +6018,14 @@ "rule_name": "Kubectl Workload and Cluster Discovery", "sha256": "3fb59d0debefff5c213a62421bae47af81fdede0f7c3848bdfca03c7fd031d20", "type": "eql", - "version": 103 + "version": 104 }, "74ee9a2d-5ed3-40c8-9e6c-523d2e6a17ef": { "min_stack_version": "9.3", "rule_name": "DNS Enumeration Detected via Defend for Containers", "sha256": "c5699f232d2c200ebee161e0ddfb53f45756ab0e1b8961965e65a95f0993eee1", "type": "eql", - "version": 2 + "version": 3 }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { "min_stack_version": "9.2", @@ -6014,9 +6039,9 @@ } }, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "86a8f77e493766f2573af3fd44aa5355acd0aee0ec046bc6bee7f1022fea8ab1", + "sha256": "08d8c3881a690e49014abab4bfe6cf06d9e4ef69202e75b1ef47a50941191f03", "type": "esql", - "version": 109 + "version": 111 }, "751b0329-7295-4682-b9c7-4473b99add69": { "min_stack_version": "9.4", @@ -6032,73 +6057,73 @@ "rule_name": "Spike in Group Management Events", "sha256": "6111ce5b8cc57029859f4d7d1f13628833682f103a77863112e446c6c0cc6f3e", "type": "machine_learning", - "version": 105 + "version": 106 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", "sha256": "9fc432aa9a279cced87c9fda16b8665d2628e1dab0015863865b7afb8f2a813a", "type": "new_terms", - "version": 112 + "version": 113 }, "75c53838-5dcd-11f0-829c-f661ea17fbcd": { "rule_name": "Azure Key Vault Unusual Secret Key Usage", "sha256": "697c251dced5fdee5d4b9057aa2f791ab784595cc2b812fc403b7fe96b202bb8", "type": "new_terms", - "version": 4 + "version": 5 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "rule_name": "Service Disabled via Registry Modification", "sha256": "69703b792212ac650f5366d9c9672d3727d599a31dc333a09e730b29acaff933", "type": "eql", - "version": 6 + "version": 7 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "134c4594176dbca2b7f74074f945c476a08d79d6a308778f0f010a173d7a48da", "type": "query", - "version": 105 + "version": 106 }, "75f9b95f-370b-4ff3-a84c-66d9ec0b84eb": { "rule_name": "Nsenter to PID Namespace via Auditd", "sha256": "f88c26dc7d5fb9ad8dc2e4c143876eed2b3cdafaa896df247ffb58aa20da89be", "type": "query", - "version": 1 + "version": 2 }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "b1b0ac8a275f03a9e4f9266bdecc75a46d294a978807e76dfa46eff651b47ddf", "type": "query", - "version": 108 + "version": 109 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", "sha256": "3873bd6f2cb62ec83ea96f063ed37b195de67943416ef7620e3e8fc66c8a5cf5", "type": "query", - "version": 210 + "version": 211 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "99fbc0670843f40742c6738d7b65a175e21e572c0104971752b9a0481f21d03b", "type": "eql", - "version": 119 + "version": 120 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "rule_name": "Creation of Hidden Shared Object File", "sha256": "fdaa141067192258d1fba1bc103d8e8971607fbf4b6aad9407dadd5afc396de9", "type": "eql", - "version": 215 + "version": 216 }, "769a2e72-11bd-437b-9503-e51e7790d273": { "rule_name": "Potential Privilege Escalation via SUID/SGID", "sha256": "ce94437cea9118c4db77c156765f82ad48e2325fed6434593be74ac094b0b2e5", "type": "eql", - "version": 1 + "version": 2 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "b57e22699be52ca6afa8d2d3fcd39a54dc822e9f4b0c45e9202b101e20d7299b", "type": "eql", - "version": 212 + "version": 213 }, "76de17b9-af25-49a0-9378-02888b6bb3a2": { "min_stack_version": "9.4", @@ -6114,43 +6139,43 @@ "rule_name": "Unusual Country for an Azure Activity Logs Event", "sha256": "daad53aa4c99d2d19175b91467d915c42a7f126b889c1a81734f3a78d05f6575", "type": "machine_learning", - "version": 102 + "version": 103 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", "sha256": "60456e0811186e9f508af57452cb7f817f28f4cee61eda0f03c1f2c5b8a81d31", "type": "eql", - "version": 15 + "version": 16 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "01ae46d4f651856933ca7c8347ea064170f254722c3796b0dff3566bcd3e9e8c", "type": "eql", - "version": 421 + "version": 422 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "0144659d5bb4aa17f606b5607bc2c8f3c8aa5e81be4a31afa402a200ff25cc34", "type": "eql", - "version": 321 + "version": 322 }, "77122db4-5876-4127-b91b-6c179eb21f88": { "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", - "sha256": "c2d560f60f74a23d2e584cb249c922e56a552e5f3a1c99eda122d4d0bff70fc0", + "sha256": "86a0dbef3266bd06d495e1e2ceb7a8331df565b85b7f720574b5f5c88db3b026", "type": "esql", - "version": 12 + "version": 14 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "Entra ID User Added as Registered Application Owner", "sha256": "c60444bf7db1c5dbe2aaa41078d472a6d0f4989088577b2fd9de8fd099b0171d", "type": "query", - "version": 109 + "version": 110 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", "sha256": "b2f265c1c6f02ff0149022c18138a9ef408fa696e50c27e9d3445721816237f5", "type": "new_terms", - "version": 9 + "version": 10 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", @@ -6162,67 +6187,67 @@ "rule_name": "Potential Network Sweep Detected", "sha256": "8cd906472fcb1e0eab241dcb4b3e15dc1d20c8b99da3affe9cb3b454b7b9eeb6", "type": "threshold", - "version": 15 + "version": 16 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { "rule_name": "Yum/DNF Plugin Status Discovery", "sha256": "4ee525bb41e218ef13fb88f401ac12bc1f5f99fa86cac02a671bd02fc136b7a9", "type": "eql", - "version": 108 + "version": 109 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", "sha256": "89f593e9c2cc1086cf274ad161b75d49ea5f24797707c2ace2f1890b733afdb5", "type": "query", - "version": 210 + "version": 211 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Entra ID Privileged Identity Management (PIM) Role Modified", "sha256": "17c1e3c3e1f2363cca5097d1febb1c1fdfe1dbe7ec5c36f72b89312dc365a544", "type": "query", - "version": 111 + "version": 112 }, "78c6559d-47a7-4f30-91fe-7e2e983206c2": { "rule_name": "Unusual Kubernetes Sensitive Workload Modification", "sha256": "476c9475efcc39f0bfcb65ff6f40dba940e50eb387e43d16645a8701bb24bc15", "type": "new_terms", - "version": 3 + "version": 4 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", "sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89", "type": "machine_learning", - "version": 212 + "version": 213 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "2a433940966f2f0fe891fea3f39e6171fa12e90c3e5ad849e26484da381596f7", "type": "eql", - "version": 315 + "version": 316 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", "sha256": "fc4e1f18cd4299cef9d02f0fe5c7750aec32de3ccf737640f92c69abcf8aa99f", "type": "eql", - "version": 8 + "version": 9 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "rule_name": "Unsigned DLL Loaded by Svchost", "sha256": "9ea32cdb4aba86e589f83ad01881254cc615057b09a596f8a1740009fe17a0ea", "type": "eql", - "version": 12 + "version": 13 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", "sha256": "9f0dd07e9624660f7c948faf37e93c69ecb2938712118952d7030e874b4d22cc", "type": "eql", - "version": 7 + "version": 8 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", "sha256": "560c80b54abbb9cafeb5763facbe1bfc1170340cdba87d2d26f437a953ebba55", "type": "new_terms", - "version": 109 + "version": 110 }, "79543b00-28a5-4461-81ac-644c4dc4012f": { "min_stack_version": "9.2", @@ -6252,37 +6277,37 @@ "rule_name": "Execution of a Downloaded Windows Script", "sha256": "b8466ad6bbac620f7b3c11957e157be4a1d5210c764eaefdf7289fda21a7f9d2", "type": "eql", - "version": 307 + "version": 308 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "rule_name": "SSL Certificate Deletion", "sha256": "5fbbd63d53cc0bd3f5bbee608b8d9827efa8a7109088607acffa178fec33e640", "type": "eql", - "version": 105 + "version": 106 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", "sha256": "3333d79d05ec9e15466500362c0268b37e40266434c27aabb9d73657780de11b", "type": "eql", - "version": 9 + "version": 10 }, "79e7291f-9e3b-4a4b-9823-800daa89c8f9": { "rule_name": "Linux User Account Credential Modification", "sha256": "795cea2132f0be536e09c042566c70bedbac1d9a32d7d90a6e8263771c4988b8", "type": "eql", - "version": 5 + "version": 6 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "rule_name": "Potential File Transfer via Certreq", "sha256": "9cc0e6419c073ff3ff662d338732b39dfadec281284f8660850c09294746617a", "type": "eql", - "version": 217 + "version": 218 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "cb8b9a7be0c9d85f513c4b408bd065b0757c377d6e23ab723dc55a1741e20517", "type": "query", - "version": 219 + "version": 220 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -6294,25 +6319,25 @@ "rule_name": "AWS First Occurrence of STS GetFederationToken Request by User", "sha256": "e68fa16e0202bd0bc07a1d9c59cc6181f3add4f34d17e2e78a88be517363d37f", "type": "new_terms", - "version": 7 + "version": 8 }, "7ab5b02c-0026-4c71-b523-dd1e97e15477": { "rule_name": "M365 AIR Investigation Signal", "sha256": "7c2b1e9f0ab3d40c7743bcdd398666dea7ce01f11bbb9e71369a218dc1463f85", "type": "query", - "version": 1 + "version": 2 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", "sha256": "99fca949ae8edfb7afb964e72886e6e40bb9aa3611aba9a895220b6a5d0f2bba", "type": "eql", - "version": 11 + "version": 12 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via SSH Backdoor", "sha256": "115b28ee0d196e28e67c341ab955d79013a022f4f7a4f1e7899195e22fb80d16", "type": "eql", - "version": 11 + "version": 12 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -6330,49 +6355,49 @@ "rule_name": "Windows Network Enumeration", "sha256": "1287015e2cbbf36f6c4fd25871e0f13e424829e01845ab1568b70bc999cc1c93", "type": "eql", - "version": 216 + "version": 217 }, "7b981906-86b7-4544-8033-c30ec6eb45fc": { "rule_name": "SELinux Configuration Creation or Renaming", "sha256": "132d0281d9ffb39716b5e09b2766d142277327f0aa62e243fc7be053cda4e360", "type": "eql", - "version": 105 + "version": 106 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "dd30b5f7a318ad5565b52afd773e5291c49e0651eeb6c859d4b29d254f2a8ef4", "type": "eql", - "version": 312 + "version": 313 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Shell Command-Line History", "sha256": "86c142a7a15c278ed74582e86edcee7de433f554bb163446de4fa128c5a46b6a", "type": "eql", - "version": 111 + "version": 112 }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", "sha256": "0f2225c0e5a72b8db9a421b84b3d7600a08c7515a0f9198c8171b5d44ec8a112", "type": "eql", - "version": 9 + "version": 10 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "ae791bdb776e660c7036a0cd0a7a5d8657ddacbac0fa524b8c3f09de72e8443b", "type": "query", - "version": 111 + "version": 112 }, "7ce5e1c7-6a49-45e6-a101-0720d185667f": { "rule_name": "Git Hook Child Process", "sha256": "e1aafa5f4d3337d194ce54fa78c294dd28edec70497f58d3cfefde65ee48e549", "type": "eql", - "version": 107 + "version": 108 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", "sha256": "79fdf63a5b07ec050f2e4bccf65b9edcd7fa0acde10d5690ad4573db1c639f17", "type": "query", - "version": 109 + "version": 110 }, "7d02c440-52a8-4854-ad3f-71af7fbb4fc6": { "rule_name": "Alerts From Multiple Integrations by Source Address", @@ -6384,7 +6409,7 @@ "rule_name": "AWS Lambda Layer Added to Existing Function", "sha256": "98b713e30dc1a5a360825e71125517e2765b46a0ac94fb83c2b75e0695d261c7", "type": "query", - "version": 9 + "version": 10 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -6396,91 +6421,91 @@ "rule_name": "Potential Execution via FileFix Phishing Attack", "sha256": "8017672e1d5a3e9db124d9945f7a4ac62f198aec6733b445b3bac6be45ac7d90", "type": "eql", - "version": 4 + "version": 5 }, "7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": { "rule_name": "Entra ID Custom Domain Added or Verified", "sha256": "62e7543d4496ac6e879f5717d0348eb2a77d4585482a48073792c0f094f57367", "type": "query", - "version": 2 + "version": 3 }, "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { "rule_name": "SSH Key Generated via ssh-keygen", "sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843", "type": "eql", - "version": 106 + "version": 107 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", "sha256": "85bbf6cf0101b56ff21d6892fe6fb8895c06afbd4c9ab6bace4d8db07ede02ba", "type": "eql", - "version": 7 + "version": 8 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "d223ec9ab8f7b8c61d6100d7408999304a0de71fe37a9e8eb43cbc6b4a7ed459", "type": "eql", - "version": 316 + "version": 317 }, "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b": { "rule_name": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces", "sha256": "5ac05499166d15e3391528b35f73a7473b93b9ae723abcfc4d87c496388a52f0", "type": "query", - "version": 2 + "version": 3 }, "7e5c0e5a-95a5-404e-a5b0-278d35dc3325": { "rule_name": "AWS EC2 Stop, Start, and User Data Modification Correlation", "sha256": "5085178d8ef62259fb3d7a651f12d9b8070eec2122578fbd32b611c1df0df882", "type": "esql", - "version": 1 + "version": 2 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", "sha256": "602390ce15528f3c17793e86c7683d855e54283b997afff2b59450a9133c229f", "type": "eql", - "version": 5 + "version": 6 }, "7eb54028-ca72-4eb7-8185-b6864572347db": { "rule_name": "System File Ownership Change", "sha256": "1e042eae7f87d61976c6c536ce63589d0e4f670101060411413e6cb718dd5017", "type": "eql", - "version": 4 + "version": 5 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "rule_name": "Security File Access via Common Utilities", "sha256": "dfd9d1738b7b47ca18ef97c110717eb2ebb80cd79bf43dcd58d9f5ca4f7dc466", "type": "eql", - "version": 107 + "version": 108 }, "7f3521dd-fb80-4548-a7eb-8db37b898dc2": { "rule_name": "Potential Notepad Markdown RCE Exploitation", "sha256": "93a1125fa6da577483bb725160ffb4b13b5dad6f47ccd67d77955061d4375e0b", "type": "eql", - "version": 5 + "version": 6 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "37d093b58d917e0eb1a4d8f9b92723a63feff6e1f14d8f8be3cfa3f2b9b5fb6a", "type": "eql", - "version": 214 + "version": 215 }, "7f3a9c2e-1d4b-5e6f-8a9b-0c1d2e3f4a5b": { "rule_name": "Potential Root Effective Shell from Non-Standard Path via Auditd", "sha256": "d0f106dcb3ff6ae76fa7b71147a962b1e967aa7e742d48988008a8e178d54fa9", "type": "query", - "version": 1 + "version": 2 }, "7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b": { "rule_name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation", "sha256": "6cf3054443a5d4ce4ad838455a77599f465d2a6d1b7aac00f871e31970d212ad", "type": "eql", - "version": 4 + "version": 5 }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", "sha256": "5357e1bfb039ea8b93e129b2cdac2371d183c097a8351e7f1b28d086e81f487f", "type": "eql", - "version": 7 + "version": 8 }, "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": { "rule_name": "Web Server Potential SQL Injection Request", @@ -6492,61 +6517,61 @@ "rule_name": "Discovery of Internet Capabilities via Built-in Tools", "sha256": "c36b3a20bc7851ef82f259a38a6c6a7ec11f8f1ed9af8787d9658342939f9463", "type": "new_terms", - "version": 105 + "version": 106 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", "sha256": "11fb6ed836d3d13fda309a2ddebc6784355450f5e65c15241634917d7de7a449", "type": "eql", - "version": 20 + "version": 21 }, "7fc95782-4bd1-11f0-9838-f661ea17fbcd": { "rule_name": "M365 Exchange Mailbox Items Accessed Excessively", "sha256": "5712eee0f955297e794d9c01a9e2b82c4704a5f852b2a23492292651861f45ff", "type": "query", - "version": 4 + "version": 5 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", "sha256": "fc200a3dd1eacf187d77b981115f644d11a90ee47affcd553b303b26d9b02e9c", "type": "eql", - "version": 12 + "version": 13 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", "sha256": "5a2251601cf605cb63463e81b7f57bf842eb1dd019bcc6e1a5d05909114cea77", "type": "new_terms", - "version": 111 + "version": 112 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "rule_name": "Unusual Process Extension", "sha256": "85aada873799d2431ff32fe657e4ba002fcd4cf73c7d5d23d9660764dcec119d", "type": "eql", - "version": 6 + "version": 7 }, "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { "rule_name": "Deprecated - Potential PowerShell Obfuscated Script", "sha256": "fefa473559337a11c4edaefa3914f1b5e6809c26b04da1e9eb98f17f147f93a2", "type": "query", - "version": 110 + "version": 111 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "AWS SSM Session Started to EC2 Instance", "sha256": "9ee1ebd6c05bbcb790468a9e8e11271e207a5620aa553dae437bbcb645fceeb7", "type": "new_terms", - "version": 6 + "version": 7 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "be4fcdd1b914e92f16ebb75fc86828552c9fc7abda2685ac63b28f7d9a3f2054", "type": "eql", - "version": 108 + "version": 109 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", "sha256": "99bf6df5902600b0c743678eb247b68b3d1fdec36e3c5d7f879c547fd0141726", "type": "machine_learning", - "version": 213 + "version": 214 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", @@ -6568,19 +6593,19 @@ "rule_name": "Unusual Remote File Extension", "sha256": "6abbaa944d0c5d273806bc58f6c8e79ceb52c0924dd195ee94aee3930230f16d", "type": "machine_learning", - "version": 109 + "version": 110 }, "8154d01d-04d1-4695-bcbb-95a1bb606355": { "rule_name": "Gatekeeper Override and Execution", "sha256": "991965250b10d42aec5d6ee76ab2fd8a361227d80eb667d76a4fa93528ded285", "type": "eql", - "version": 2 + "version": 3 }, "8167c5ae-3310-439a-8a58-be60f55023d2": { "rule_name": "Suspicious Named Pipe Creation", "sha256": "253e887c55def671178ffe4b57883d3bc98217574f194ba83ff1120724e1a7e3", "type": "new_terms", - "version": 5 + "version": 6 }, "81892f44-4946-4b27-95d3-1d8929b114a7": { "min_stack_version": "9.4", @@ -6596,13 +6621,13 @@ "rule_name": "Unusual Azure Activity Logs Event for a User", "sha256": "0c6c500f67d15e6e004f30895284446912eed2946c7433eb1b2e43ac9cb1368d", "type": "machine_learning", - "version": 102 + "version": 103 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "b2573abd94d397aa342b54649a68d6dd61b1eab6fa2a85262d80622ade46a7e4", "type": "eql", - "version": 317 + "version": 318 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -6614,62 +6639,62 @@ "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "7a4d5185d5e5d9b1908bab0d3aca30a9fd909de1e7ed5bd9973f17ea38c45131", "type": "query", - "version": 320 + "version": 321 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "rule_name": "Temporarily Scheduled Task Creation", "sha256": "19540fa8823bf220012c9be723cb349c87f01d6257c20b38423e67c4c11e70e2", "type": "eql", - "version": 114 + "version": 115 }, "8248323e-f888-4134-a26f-37a6362f7231": { "min_stack_version": "9.3", "rule_name": "DNS to Commonly Abused Web Services", "sha256": "dbb5583417dd597c8f05b913273b53b8409710f3ae1eb6b9aa6e9eb4c83092fd", "type": "eql", - "version": 1 + "version": 2 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "5b5b70876d3001d659553913b8987b5454fa88d97ba664716d9d4d284a02725d", "type": "eql", - "version": 213 + "version": 214 }, "8293bf1f-8dd0-434e-b52a-1aa6ec101777": { "rule_name": "Suspicious Write Attempt to AppArmor Policy Management Files", "sha256": "805555cf50ddc4f2911f97266442eb357b42c55674a349ea4f73f305fce05479", "type": "eql", - "version": 1 + "version": 2 }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", "sha256": "277df1300e839607dcd3b2f0c822ad6033930c8c4c737859b4bc8f29cacd38e4", "type": "new_terms", - "version": 7 + "version": 8 }, "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { "rule_name": "Manual Dracut Execution", "sha256": "29c7059375d06cd1cc12a302f2333031ad5939f3b5d67b5793afadddfdaea7fd", "type": "eql", - "version": 7 + "version": 8 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "a2bb9648be410edc4f63b16588b57cd265841be85791537e0d4635d059306344", + "sha256": "b2a4836d17db8e9a4fc07bed95c967891c6e4ce8afd0df96514a379cf12501a3", "type": "esql", - "version": 14 + "version": 16 }, "8383a8d0-008b-47a5-94e5-496629dc3590": { "rule_name": "Web Server Discovery or Fuzzing Activity", - "sha256": "985bf66729f4fbb6875ca03651b5f088856495eb5e52ed0c62d9c950a63b5641", + "sha256": "d83fe4a414d17a095570931eccedc540ce362727af0e7ade3efdfec901021ab1", "type": "esql", - "version": 5 + "version": 7 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted", "sha256": "886e69fd58d0b30bee105947d384e6ea7ca847b28e272a7a462e23162be0cbb7", "type": "query", - "version": 108 + "version": 109 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { "rule_name": "Linux Restricted Shell Breakout via the mysql command", @@ -6681,80 +6706,80 @@ "rule_name": "Suspicious Windows Powershell Arguments", "sha256": "f37d18299f2b6ae378e9ebbda386f621a87953d1876e6a1d5d05d56a2a42375e", "type": "eql", - "version": 214 + "version": 215 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "e7181205724d4dd074ed7813ffe5b2b8d1e6b3d21158bb791df05b329db185d9", "type": "eql", - "version": 115 + "version": 116 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role", "sha256": "4ba4a6143b3e9c0796753566012abd8ce4d00f6dc4a07026f37ecdae32914447", "type": "new_terms", - "version": 9 + "version": 10 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "rule_name": "Deprecated - Microsoft Exchange Transport Agent Install Script", "sha256": "231fa1320c2fe2c406250a79a7d96b9d5ba958d3b53f96867c8c3d563d7b55f5", "type": "query", - "version": 110 + "version": 111 }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", "sha256": "e03a6361412c5e8705b679c6544081b684e4b0d563f052e0624e583983c7baec", "type": "eql", - "version": 7 + "version": 8 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "rule_name": "Potential Upgrade of Non-interactive Shell", "sha256": "a68732ae9d35dba87c95fbec9aec936ab7565c1de5ba804a22841eadf018b195", "type": "eql", - "version": 108 + "version": 109 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "910ab24992b092b670b8f46bc6acd50d1ebd6641c4c0afbe68cb426c5c30f8bc", "type": "eql", - "version": 219 + "version": 220 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "rule_name": "Potential Remote Credential Access via Registry", "sha256": "574d715b6ce4b597ea59f0da4cbc28681d04fd706bffc3261faddca6bb433510", "type": "eql", - "version": 114 + "version": 115 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "b3fd7ce2686a4da739298c81e33a67dfa9c63b11eb3976fa0b8c45ac55facc8a", "type": "new_terms", - "version": 217 + "version": 218 }, "85d9c573-ad77-461b-8315-9a02a280b20b": { "min_stack_version": "9.3", "rule_name": "Process Killing Detected via Defend for Containers", "sha256": "801e043b5aec7ea7952aa8ade78a681fd2bb3fdde4e305a4c8dae8cda599d58d", "type": "eql", - "version": 1 + "version": 2 }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", "sha256": "e2f5f510ca7a02c9742e8740fd5c6a609fdbff33b7d65d755b9a2a93ef2d248b", "type": "esql", - "version": 11 + "version": 12 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", - "sha256": "10bbd6b833bdba66080b6ea0671751c89bbd7d3fc0518fa6f03c456539502df0", + "sha256": "a8ed26b32cd94694adce57becfac407e2bf6897f14d5a065df29a2216e32fb20", "type": "esql", - "version": 12 + "version": 14 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "941cacbf7dfc86fc7816d9a2c8584951737f2b4dcf09ad1841befdc1cfa1ffe5", "type": "query", - "version": 212 + "version": 213 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "Deprecated - AWS RDS Security Group Deletion", @@ -6766,19 +6791,19 @@ "rule_name": "AWS IAM Group Deletion", "sha256": "3abaf9bcf2904f994396d8543bd3aaeef43a2e98d31e9eefa381b426864ee55a", "type": "query", - "version": 212 + "version": 213 }, "86aa8579-1526-4dff-97cd-3635eb0e0545": { "rule_name": "NetworkManager Dispatcher Script Creation", "sha256": "af4d1639fa424646c1f9aea3aa4e17d4c520b08a657af139282fba725cfc76d9", "type": "eql", - "version": 7 + "version": 8 }, "86b3a245-03de-49a5-ab57-ae44d8f064da": { "rule_name": "Container Runtime CLI Execution with Suspicious Arguments", "sha256": "b49008a2e524c3ab2b367ae2d73b208ee6a89c06a8e67a6bbd6c28ef543e4bd6", "type": "eql", - "version": 1 + "version": 2 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "rule_name": "Potential Linux Reverse Connection through Port Knocking", @@ -6790,25 +6815,25 @@ "rule_name": "Security Software Discovery via Grep", "sha256": "dd820be9349011d4ec335569d9898cb70ea8a935ad0df6f01cbe987c9d711bc7", "type": "eql", - "version": 113 + "version": 114 }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", "sha256": "4bbc068166c4cd467e8b63f0500aaddf001c6469a8ae6a620d661881570e619f", "type": "eql", - "version": 220 + "version": 221 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", "sha256": "e339c78401a6804c63a87a211a0a0487e1e57f189247c6bf1d912d29cfc286d6", "type": "query", - "version": 9 + "version": 10 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "5f457fe98b665b8a9e62cc644d1ab36295835009aa64a66b3ba48a3a15c0e423", "type": "query", - "version": 213 + "version": 214 }, "877cc04a-3320-411d-bbe9-53266fa5e107": { "min_stack_version": "9.3", @@ -6824,7 +6849,7 @@ "rule_name": "Kubectl Network Configuration Modification", "sha256": "a1894306d2121d58ca0fbece2a5bf937c976bf968265df675e6644c2ee86bd99", "type": "eql", - "version": 103 + "version": 104 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -6836,43 +6861,43 @@ "rule_name": "Linux Clipboard Activity Detected", "sha256": "586482d2e766199d7d20451c536089086726536ce2d6b78324c97ca9e8a27dac", "type": "new_terms", - "version": 10 + "version": 11 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "M365 Identity Global Administrator Role Assigned", "sha256": "826d91fd08a94cba97478f637b721a622927885f74aa5e12a9c39555ba33dc67", "type": "query", - "version": 215 + "version": 216 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "dffeb89bd2bc7aa9295056acf3f3e48cf641480002098af31aac13a9fd518282", "type": "eql", - "version": 113 + "version": 114 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "rule_name": "Potential Sudo Hijacking", "sha256": "15290009b50a0be19faab5d4bcf8b037b1133350ac236ed74d1fef9b7f28e36c", "type": "eql", - "version": 112 + "version": 113 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "79766485064b150c88c72e4318717a5ae5fbf67996a675b6a6fc90adc2bd6c35", "type": "eql", - "version": 212 + "version": 213 }, "894326d2-56c0-4342-b553-4abfaf421b5b": { "rule_name": "Potential WPAD Spoofing via DNS Record Creation", "sha256": "91e82c47e7296c7f031bd60c2e9a11cbad7708537f7897a41fc725b48242bcdb", "type": "eql", - "version": 108 + "version": 109 }, "894b7cc9-040b-427c-aca5-36b40d3667bf": { "rule_name": "Unusual File Creation by Web Server", - "sha256": "e571b65fc24fca4eca6d1be59574531c2d30099725b3b2636dfca04cf3dca1fd", + "sha256": "96ce6cefc962662f64fab145bdacab7fd6634c324ed8118e1ed935d9ae26bfae", "type": "esql", - "version": 8 + "version": 10 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -6884,79 +6909,79 @@ "rule_name": "FortiGate Overly Permissive Firewall Policy Created", "sha256": "d1d718262a55ce4eb2f3109b52008bb31b4730548cc74c0bb2f88c2066874849", "type": "eql", - "version": 2 + "version": 3 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "997ff3e71d520c0732a123e1d0ad70cdd6bf378b08cb0676dcb3dc3b8be50005", "type": "eql", - "version": 215 + "version": 216 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Suspicious Command Prompt Network Connection", "sha256": "78c4503367d09652a555301342470eda60e4bb0bbbdede4115675d26689da852", "type": "eql", - "version": 215 + "version": 216 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", "sha256": "dd084e812cce1783a6f9ba2487369dcde52524dd9ebbdf42cbb46fbc6775cb61", "type": "eql", - "version": 111 + "version": 112 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", "sha256": "85b2f05242ef2b243497149f4a9ced74f2092360b32956fbd76fa5877477b9ae", "type": "eql", - "version": 11 + "version": 12 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "bfbc2e038be0e058b013edc804ae3cbf9358bf4e7a5e60ec7708fd9335b00208", "type": "eql", - "version": 213 + "version": 214 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "rule_name": "GitHub PAT Access Revoked", "sha256": "f2df2aa417dd23bf02331ebd404b3dd336f446beb1284f6393f29558895e7cbf", "type": "eql", - "version": 206 + "version": 207 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", "sha256": "3cdc89e93768197c70d988777a765055e5d99d6ff147c94e5015d96650a4f6ce", "type": "eql", - "version": 110 + "version": 111 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "b1b9d970b94d1f0d33fee26a4679f1232d96921a54d9a4d0c247b861915dce0f", "type": "eql", - "version": 214 + "version": 215 }, "8a1db198-da6f-4500-b985-7fe2457300af": { "rule_name": "Kubernetes Unusual Decision by User Agent", "sha256": "87463c0ee2b94b85ef1a97b095d7804388e7ec85b856a29cf58045acff6110ef", "type": "new_terms", - "version": 6 + "version": 7 }, "8a556117-3f05-430e-b2eb-7df0100b4e3b": { "rule_name": "FortiGate Administrator Login from Multiple IP Addresses", "sha256": "9dcb51c768e95cbd73655d85347ee0163b46f11470f3d673caf5994a6cf16314", "type": "esql", - "version": 3 + "version": 4 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "9af183f0898497548e96c09ddfe9a51ebc3e65db6be58b64891ede967f7a09ff", "type": "query", - "version": 415 + "version": 416 }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { "rule_name": "Unusual Command Execution from Web Server Parent", - "sha256": "df522ce5e98dfecebb085a50f07d0317c34618922825d910d3e36754b4d631b9", + "sha256": "67026a5271dfee3885ded9f2c185ec626772f29c47b50e3d9d51b83092abec19", "type": "esql", - "version": 12 + "version": 14 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -6968,67 +6993,67 @@ "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "sha256": "500aa971acca151f7325aa6f5b1b35a36cd749170866c9f0f3f9a5d1061d008b", "type": "eql", - "version": 110 + "version": 111 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "0891db2139f619c3e12aa7ff813fb6c47c0b921921e10f68302d2cc5e09094fc", "type": "eql", - "version": 315 + "version": 316 }, "8b4d6c3a-2e9f-4b7c-9a5d-6f8e3c1b4d2a": { "rule_name": "Azure Storage Account Keys Accessed by Privileged User", "sha256": "ef60832a362b19da1ecb80f507f7097c504c401b7bfae720da603f222f294c0f", "type": "new_terms", - "version": 2 + "version": 3 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "155748dc2cb03082c198d49c5b3a63d68bcbb946ac0249b60cdd1c0ad240e967", "type": "eql", - "version": 316 + "version": 317 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Events Deleted", "sha256": "8e4798edae7eb2301c9219ac5243fe24e10cd947652efff3d972e522037a0d38", "type": "query", - "version": 109 + "version": 110 }, "8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": { "rule_name": "Several Failed Protected Branch Force Pushes by User", "sha256": "161df6cf4be2d2363710a4fe6c657d1b60e3e64c8b7438588f60e9f60d3528b5", "type": "esql", - "version": 4 + "version": 5 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "a116199798ce219c0aceb2948a7979d20498678ec9bb86abedd8ddb7e974d16b", "type": "query", - "version": 110 + "version": 111 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", "sha256": "9955aae54a8f93f01d22e8dbeba7c6f61bdff91c51078dd51ce9daf7339f6580", "type": "eql", - "version": 320 + "version": 321 }, "8c707e4c-bd20-4ff4-bda5-4dc3b34ce298": { "rule_name": "GitHub Private Repository Turned Public", "sha256": "d2deb01d1b50975220e5ee778a3f487256d2704c60bb881efde3f2af99d372f5", "type": "eql", - "version": 3 + "version": 4 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", "sha256": "a5bd7d9ab86ab20b88f66312067bfab6a568f6e2e62a6086ae485a5d2e41f0b6", "type": "eql", - "version": 113 + "version": 114 }, "8c8df61f-ed2a-4832-87b8-ee30812606e0": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via Command Line", "sha256": "0adfd339ad27a6b8b76c80aedee937f94c4f97230a6eb989be7cc055dc705db6", "type": "eql", - "version": 2 + "version": 3 }, "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": { "min_stack_version": "9.4", @@ -7044,7 +7069,7 @@ "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", "sha256": "b1badadb630b67c0ce5e1097220bb27225d8f7c5aeafd602875395912a5854c2", "type": "machine_learning", - "version": 104 + "version": 105 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", @@ -7056,25 +7081,25 @@ "rule_name": "Potential Successful SSH Brute Force Attack", "sha256": "a96fb4b4b383179cc72cb5eae13d8db7519f05a462df336a7c09f4ff2348581e", "type": "eql", - "version": 16 + "version": 17 }, "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { "rule_name": "RPM Package Installed by Unusual Parent Process", "sha256": "fd3063980542ef2a702e17a3d1846cff65911774f84b6f95d92358d7c03f8e7b", "type": "new_terms", - "version": 6 + "version": 7 }, "8cd49fbc-a35a-4418-8688-133cc3a1e548": { "rule_name": "Proxy Execution via Windows OpenSSH", "sha256": "e08100fdb189d4a8d88e1b98e86124b022055743f5ea002e7c6e51addcb26261", "type": "eql", - "version": 3 + "version": 4 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", "sha256": "0bf06ca7dbd6bf33afe26f82f0a013a7c48a33b7aa69fe2114aa607308c21adb", "type": "eql", - "version": 6 + "version": 7 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "9.3", @@ -7090,7 +7115,7 @@ "rule_name": "Interactive Shell Spawn Detected via Defend for Containers", "sha256": "50e2c7782f8be9f72c7128dc4db0539b9d79ef43293b239f22635c9dbe0b1cd5", "type": "eql", - "version": 105 + "version": 106 }, "8d4d0a23-19d3-4186-a6f1-6f0760d2e070": { "rule_name": "Multiple External EDR Alerts by Host", @@ -7102,97 +7127,97 @@ "rule_name": "Entra ID OAuth ROPC Grant Login Detected", "sha256": "7c732e1ccfa76a9e4b864a9a5cc905c699b322c8fd19066eb9ae614ad50d1e82", "type": "new_terms", - "version": 4 + "version": 5 }, "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": { "rule_name": "Potential Data Exfiltration Through Wget", "sha256": "3fd2b1b4a83e83cd6cc4d3b9171acbf2a8727daa0a182983a596c27976019c1c", "type": "eql", - "version": 3 + "version": 4 }, "8d9c4128-372a-11f0-9d8f-f661ea17fbcd": { "rule_name": "Entra ID Elevated Access to User Access Administrator", "sha256": "83c4b5a6c2d976377276bf4663925ff8f4c92cb2bd44e8d4ff715af6e89ca335", "type": "new_terms", - "version": 5 + "version": 6 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "b076e4e14884d25fba16f078694f7925272dd885b2e4091bc53e86bf8312b0fe", "type": "eql", - "version": 213 + "version": 214 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", "sha256": "4310e0e0dd6ef5d366aac17c4b8233b9ed3a2a2603d418aeb156e14b7ca3bc2d", "type": "query", - "version": 108 + "version": 109 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "rule_name": "Potential WSUS Abuse for Lateral Movement", "sha256": "753cd28018873970c400a8298c254ce1524a2b19087d022f3c34d946504e3669", "type": "eql", - "version": 213 + "version": 214 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", "sha256": "4d5ec92b6f2172b7a6f70ad0e96425134d404f434be5f19e8347ab2f531bce2d", "type": "eql", - "version": 6 + "version": 7 }, "8e66c55f-8db6-4e3e-bf4f-3a3e242bdf66": { "rule_name": "Microsoft Graph Multi-Category Reconnaissance Burst", "sha256": "7a9834cd74794ce51aa225cb563776e440a9c8e8148106721fe40db00f5e2418", "type": "esql", - "version": 1 + "version": 2 }, "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": { "rule_name": "Entra ID Actor Token User Impersonation Abuse", "sha256": "3d44c73a3692bf5d2e82a05e5660e69202bc834886ad39fb4b6b3fe0211e845a", "type": "esql", - "version": 6 + "version": 7 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "rule_name": "Bitsadmin Activity", "sha256": "ebcef83158cf83d309f5a795e4af56f9baaf29a4683c7458757351eec539a0f2", "type": "eql", - "version": 108 + "version": 109 }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { "rule_name": "File Transfer Utility Launched from Unusual Parent", - "sha256": "836b3c4bc02c3e85bb2f6eaa8fec7d019a33b393b55fb392dc33c9c865f2deb6", + "sha256": "ae91e3758de4c74a7ba69bdf76662d67f67d37f3c15d937cd4cd1358692708c6", "type": "esql", - "version": 12 + "version": 14 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "79d2a9160017926198d637f08dc603fedbb7cd4fbd83d17b74b08580ee1474bd", "type": "eql", - "version": 108 + "version": 109 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", "sha256": "97d9b5554bd6133e3e4d7eab81bb0e47fff98c0f0126fc4f675c97058901bb29", "type": "eql", - "version": 113 + "version": 114 }, "8f8004e1-0783-485f-a3da-aca4362f74a7": { "rule_name": "Linux User or Group Deletion", "sha256": "9097975f7890b4d531b35ae33794bd65145b919c575d26e22fa95c26151a5f1c", "type": "eql", - "version": 2 + "version": 3 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "166e37431a08e33591ca315008ea56f76f0f709bf7e858c2dd2fe622cccd981e", "type": "eql", - "version": 212 + "version": 213 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", "sha256": "76199312383db1b95ac2268eaada459efb3d102690231973671f8a2c499dfde3", "type": "query", - "version": 108 + "version": 109 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -7204,55 +7229,55 @@ "rule_name": "Hping Process Activity", "sha256": "5452130912b7e1ab2aa128c84c0b21c6969d10067f9d01105f86b08e0a26dcab", "type": "eql", - "version": 213 + "version": 214 }, "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": { "rule_name": "GenAI Process Connection to Unusual Domain", "sha256": "411e1e52013103268793186989a70512a23fff33bd76a04df70efccab5657b4f", "type": "new_terms", - "version": 5 + "version": 6 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS DB Instance or Cluster Deleted", "sha256": "01f5c53e0534cf3e8f1dbc49a95dffba600a0a04c5417d52cf36cd471cf5a624", "type": "query", - "version": 212 + "version": 213 }, "9056d577-4da5-47bf-8c94-6c0b1bb3f8a5": { "rule_name": "Chroot Execution in Container Context on Linux", "sha256": "1327e72d0dfdb1e0f8b9b5f3fefee53813631ef25ed39a9bbba78105ed320c11", "type": "query", - "version": 1 + "version": 2 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "rule_name": "Simple HTTP Web Server Creation", "sha256": "09d9d01561eb71ac979bff7232ba219371801a51e963720cbb333052c30acf43", "type": "eql", - "version": 106 + "version": 107 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "3767b47364ab96c700f9ddf5ee8bf9636f68b00a9d5b36d8c98ee2483cd8cd65", "type": "eql", - "version": 114 + "version": 115 }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", "sha256": "04c5ec27d3a9b03f4132d923b9bcf00154388d2360fe8789359516fccfc3187d", "type": "threshold", - "version": 6 + "version": 7 }, "90babaa8-5216-4568-992d-d4a01a105d98": { "rule_name": "InstallUtil Activity", "sha256": "1f836d04fff5d1714236d933b95423d63a44b8df46085065d9e394338ffd3e8c", "type": "eql", - "version": 107 + "version": 108 }, "90c0ce77-3fb4-484f-a8ad-4648e12b35b1": { "rule_name": "AWS EKS Access Entry Modified", "sha256": "b0dee71f273e351db266bb3a78718389454410b327626c2aaabb5e9dc8852273", "type": "query", - "version": 1 + "version": 2 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", @@ -7263,33 +7288,33 @@ "90e4ceab-79a5-4f8e-879b-513cac7fcad9": { "min_stack_version": "9.2", "rule_name": "Web Server Local File Inclusion Activity", - "sha256": "03d1493423cf1eecb33f5c4bb9d629da961d04391cab206a3651b60855ddd1e8", + "sha256": "ce9227305b17902586304198a3a92cec6183faa6ee8d90012c43430db3f90801", "type": "esql", - "version": 5 + "version": 7 }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", "sha256": "aa1f61fe8a16a44fd7569befb93e71d7bf94d8ade6285a0afabf70257ebdf9ec", "type": "new_terms", - "version": 5 + "version": 6 }, "90efea04-5675-11f0-8f80-f661ea17fbcd": { "rule_name": "Entra ID Unusual Cloud Device Registration", "sha256": "ef5f1f198548e65c9ed5cb95c3b011532c0de3d57edca67c59a6007529e93b0c", "type": "eql", - "version": 5 + "version": 6 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "b710a75749f1c2ca395821015bbfa00e3870d75a89785e4506f4029b9d54445c", "type": "query", - "version": 109 + "version": 110 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", "sha256": "b772aae4fecd07fc3fda61945a74f84d5f31d5e5371a490c75a2c1f5e39b21d9", "type": "query", - "version": 212 + "version": 213 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "9.4", @@ -7305,7 +7330,7 @@ "rule_name": "Unusual Web User Agent", "sha256": "cfcad42e56eaf65d1ad977504ea2a1122b7bec964cd4aa3c09f5aaa0983e206a", "type": "machine_learning", - "version": 207 + "version": 208 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "min_stack_version": "9.4", @@ -7321,7 +7346,7 @@ "rule_name": "Unusual Web Request", "sha256": "6674d243b24f7dbdaa41751d1c4dc3244e6757de2c25baff5ebbd5d32e1422d5", "type": "machine_learning", - "version": 208 + "version": 209 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "min_stack_version": "9.4", @@ -7337,7 +7362,7 @@ "rule_name": "DNS Tunneling", "sha256": "6d6bb3df7c940826fbc2cbff1da1ad41b1dd196c901b034d0f7f1bfe259397a0", "type": "machine_learning", - "version": 208 + "version": 209 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", @@ -7349,79 +7374,91 @@ "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "58da4c9a17bcfbc79ef87cb25e7a4fcf2d48d7ed569789517061ef9be0b86634", "type": "query", - "version": 214 + "version": 215 }, "929d0766-204b-11f0-9c1f-f661ea17fbcd": { "rule_name": "M365 Identity OAuth Phishing via First-Party Microsoft Application", "sha256": "5b1525d9fb3e1d0b955b43b502826a19998607b96fce7d351b5f2a4b656a61fe", "type": "query", - "version": 5 + "version": 6 }, "92a36c98-b24a-4bf7-aac7-1eac71fa39cf": { "rule_name": "First Time Python Spawned a Shell on Host", "sha256": "be63d148ae752f2a10774f0a44d74f9d112e91c8757bb2b6821252b3481ce6c1", "type": "new_terms", - "version": 2 + "version": 3 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "rule_name": "A scheduled task was created", "sha256": "7efafffc437abbe227a0503113191f580362de2d55f7d83279aa4718b2ad5227", "type": "eql", - "version": 115 + "version": 116 + }, + "92b11a06-57ab-4f6d-a18b-fb7fdf3cc63f": { + "rule_name": "Passwordless Sudo Probing", + "sha256": "5d374b31858c7cb44f7506ee9ec1d5f6e39af3b48436baf5cb9fe763edc9e9d7", + "type": "eql", + "version": 1 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "ba06cd9a60b678a177105f360eee0602b9dbae4dc739bd308111e4ccf706fe98", "type": "eql", - "version": 111 + "version": 112 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", "sha256": "a7f3fb92910eb74a17595421262ef4c0c685a07e4e5512f18cdb96117b34f30b", "type": "new_terms", - "version": 216 + "version": 217 }, "93120a05-caf5-47f6-a305-e8abee463fb9": { "rule_name": "Kubernetes Pod Creation Using Common Debug or Base Images", "sha256": "75899e6bc8d17dbb87ecafbe4e9e56a1a465d8e7dffd767f9a24ac2d03860358", "type": "new_terms", - "version": 1 + "version": 2 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Activity", "sha256": "bed251adfc37c827253140e4659e753a36a15717622a7081ab318cf765576578", "type": "eql", - "version": 211 + "version": 212 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "c55bac37daa9321802740fb410156e014f7560d5cc079d927f224956d090523e", "type": "query", - "version": 213 + "version": 214 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", "sha256": "b1ca64a473159cace9469b404e6e212f76b072963ef57f2082259313d45d3b85", "type": "eql", - "version": 214 + "version": 215 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Deprecated - Encoded Executable Stored in the Registry", "sha256": "f68b4a5cc0a9b8ae595d15919b1ce6607fa1a1b6e08ef5f73c6b91d35996c7ac", "type": "eql", - "version": 419 + "version": 420 + }, + "93d2c5bf-dac1-4e0f-ab52-16f440782bb8": { + "rule_name": "Google Workspace Login Flagged Suspicious", + "sha256": "eb63d1ef0bc52fa63f2f387b028278320a8454acb64c36302e5a6addba4a5e55", + "type": "query", + "version": 1 }, "93dd73f9-3e59-45be-b023-c681273baf81": { "rule_name": "Linux Video Recording or Screenshot Activity Detected", "sha256": "a7d3bdce1506512de3038f519099b488cfaf31a9ddf4c791ac8aca3c2861359b", "type": "new_terms", - "version": 2 + "version": 3 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", "sha256": "69b1e02d3a36de758cf981011b13ecfc3134cc52eeaa7686b2f2aef99248120e", "type": "query", - "version": 210 + "version": 211 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration", @@ -7433,7 +7470,7 @@ "rule_name": "Executable Bit Set for Potential Persistence Script", "sha256": "36ac08934324e18a5d413160904562eb2048ebc1ec0386d2e5c65e183599afbb", "type": "eql", - "version": 109 + "version": 110 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Deprecated - Creation of Kernel Module", @@ -7445,67 +7482,67 @@ "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "3507e4b16ab8077d5b8ded1a95748032027b442f316dbc78a0ac441986535426", "type": "eql", - "version": 216 + "version": 217 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Potential Okta Credential Stuffing (Single Source)", "sha256": "c9bdd66f536436153709d92c363c2bfc9637912240daf7eb789913fb2a9f4efe", "type": "esql", - "version": 211 + "version": 212 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "e9260d441ee6bb2650fab753e31ab175e5b98418141b067ed6cd3a942bd81750", "type": "query", - "version": 110 + "version": 111 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "c0132ac1a7c0915024784aa3942547eb1ab31b0ca04f36d96800c8bd7ae1d279", "type": "query", - "version": 110 + "version": 111 }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { "rule_name": "D-Bus Service Created", "sha256": "a18c513e885014629b1256650fe3ded14d233dc2ed783efca6ecb4b8af1946fa", "type": "eql", - "version": 7 + "version": 8 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", "sha256": "d806114e9175121535a78373c2f4f747985e6a90c11f6e960c3370037b71e866", "type": "eql", - "version": 215 + "version": 216 }, "9550ec87-e73c-4baa-ad44-e448a33fbc3d": { "rule_name": "AWS EKS Access Entry Granted Cluster Admin Policy", "sha256": "652611a8d6d720fe183c23b189538c22c0965eadeff325253a214218fb49ca7a", "type": "query", - "version": 1 + "version": 2 }, "9563dace-5822-11f0-b1d3-f661ea17fbcd": { "rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client", "sha256": "4062c9fbacade77b466ba4c8c18199e74c0d56a88a9eeef6fdc5d2d4494315d7", "type": "new_terms", - "version": 5 + "version": 6 }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ac705fd1257ac37bcda167b715884142ebe726b87d21f9f82b2b0bbd48822ee4", "type": "query", - "version": 214 + "version": 215 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "a266665d423c29eff07547ef4fd37eec7dc215b9f139f64484299c2a1bc49456", + "sha256": "81f5b2064e7de2bb721c91a9b87d91bb7c70f19839bc093e4bf47ee2544c3cae", "type": "esql", - "version": 211 + "version": 213 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", "sha256": "7d65bad7fb01c9df8886dd57509eeb3dab22246cd5bdb3030a6770a70c26d822", "type": "new_terms", - "version": 8 + "version": 9 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "min_stack_version": "9.3", @@ -7521,67 +7558,67 @@ "rule_name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers", "sha256": "8731c52d5893d47420bbb5a3b0149d7db6bfb0f0bb7297e2fd1c7cbbb03a5f01", "type": "eql", - "version": 105 + "version": 106 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "rule_name": "File made Immutable by Chattr", "sha256": "f924c739edb9ebd321df9baebfbf20c658b48cffa6bc33e56a3061d08f2160d1", "type": "eql", - "version": 217 + "version": 218 }, "96b2a03e-003b-11f0-8541-f661ea17fbcd": { "rule_name": "AWS DynamoDB Scan by Unusual User", "sha256": "922c37a1cdb6f1cd90a88e213929b164bbb8346fecf5aaf2548d04f5c1200ffb", "type": "new_terms", - "version": 6 + "version": 7 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", "sha256": "6b1686cc7b6a837576f758cc91736ce0308787558a588f34d90d5cb568304455", "type": "query", - "version": 414 + "version": 415 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", "sha256": "fb6f0c3d4a4b1103cffd1214243faf16011837bf6185ed9dd364b4b00955967d", "type": "eql", - "version": 17 + "version": 18 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process", "sha256": "c279f98199a5b04feb2862a6366b838116076f27a12f928988e6fa4747284e71", "type": "eql", - "version": 212 + "version": 213 }, "96f29282-ffcc-4ce7-834b-b17aee905568": { "rule_name": "Potential Backdoor Execution Through PAM_EXEC", "sha256": "132131e91bb5571399245226355bb06a9e2707dbe7eebedaa18d51a965601746", "type": "eql", - "version": 4 + "version": 5 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "3f327621ed0547019a5b5d0a878ab68f39d8bea7a021464559cbccee95018f77", "type": "eql", - "version": 114 + "version": 115 }, "9705b458-689a-4ec6-afe8-b4648d090612": { "rule_name": "Unusual D-Bus Daemon Child Process", "sha256": "32963455b75df93504e8d1002eaa12a8821f55aa19be3c4fee1115dc42f8708c", "type": "eql", - "version": 6 + "version": 7 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "M365 Exchange Anti-Phish Rule Modification", "sha256": "5085f954d4ff259286c61446ad71512f3a21abc0c58e2e492aea0ccb050116d8", "type": "query", - "version": 212 + "version": 213 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "f2cc5c75a97f850533473a4b070a5de9e09cadd3e2d2ab3e3594bf7a4f0bd19c", "type": "query", - "version": 109 + "version": 110 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { "min_stack_version": "9.3", @@ -7597,19 +7634,19 @@ "rule_name": "DebugFS Execution Detected via Defend for Containers", "sha256": "cb201a9e31aa49674cb68601b095f1fe2812900a8e7b104b8e5a35913c4cd69c", "type": "eql", - "version": 104 + "version": 105 }, "976b2391-413f-4a94-acb4-7911f3803346": { "rule_name": "Unusual Process Spawned from Web Server Parent", - "sha256": "5bf6380747f1cb95b184818ca866517ab8cd592d255de6dee340594eb30015d8", + "sha256": "5194925ce4db32f868c73564de0e94c334165dfc31b40121db84172cc965cf6e", "type": "esql", - "version": 12 + "version": 14 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", "sha256": "101588c75ca495165b4a75b184b63ce8f2ecc204a09f8a1f687e32708adb06e5", "type": "query", - "version": 214 + "version": 215 }, "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": { "rule_name": "Potential HTTP Downgrade Attack", @@ -7621,13 +7658,13 @@ "rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications", "sha256": "a44033692c37bed24ce3925b6ca42e5bd9fb6b47ee30ff08d20220ff77e28f9c", "type": "eql", - "version": 419 + "version": 420 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", "sha256": "1a18715f4ab14be5a645089d5e96d2d98eaf64d7c8b4239d84d2d0c8b518fbfa", "type": "eql", - "version": 423 + "version": 424 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -7639,7 +7676,7 @@ "rule_name": "Suspicious Renaming of ESXI Files", "sha256": "34932396b727d338f36c36468067ccae5bda12c0704d2824ff90b34548bbe134", "type": "eql", - "version": 13 + "version": 14 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -7651,43 +7688,43 @@ "rule_name": "Startup or Run Key Registry Modification", "sha256": "d7a6f3d9e2ace9040d8e06757f2efc2c06486ff524feba35e5e3a743560622d6", "type": "eql", - "version": 120 + "version": 121 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "sha256": "dafbd42605333aa135c1efb0261e9eb5359dffe444e4979a8dea91630c9e80ff", "type": "eql", - "version": 9 + "version": 10 }, "9822c5a1-1494-42de-b197-487197bb540c": { "rule_name": "Git Hook Egress Network Connection", "sha256": "cc8a4cc0fb13f05a7da5ab6cfb6cd3695172d812a45c53e6a907e9695ba46683", "type": "eql", - "version": 7 + "version": 8 }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", "sha256": "d8b0db21eaf28b6c2ede7046c2a599db635f704533c740913838a7ef0b324a85", "type": "eql", - "version": 107 + "version": 108 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "1d8b7387ffc9ba14ad87292fe10c366ccadee0b56b8e0932723616aa4afb8154", "type": "eql", - "version": 107 + "version": 108 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "9e0d0436cb2a69e6b72f3dc82fd928e79dd5ee95eaf0a59877b5e93864791dc7", "type": "query", - "version": 109 + "version": 110 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "M365 Exchange Management Group Role Assigned", "sha256": "12f387e3566dfd84bdb25e5380d9df4277a814500ce2286d1b624994ca9552d8", "type": "query", - "version": 213 + "version": 214 }, "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": { "min_stack_version": "9.3", @@ -7703,20 +7740,20 @@ "rule_name": "Kubectl Configuration Discovery", "sha256": "33897dd8a858f989c8a73f3f64ff7d370670cc9d413c2f2b022a4b1ef3ca0e10", "type": "eql", - "version": 103 + "version": 104 }, "98cfaa44-83f0-4aba-90c4-363fb9d51a75": { "min_stack_version": "9.2", "rule_name": "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts", - "sha256": "36a458a86040717891dffe0223608c244d185d931205bbeee4113444efced15a", + "sha256": "25ecd1343c0719865ac7ad139f4a588a1c388531d9f2d50601d454232eb6c6c9", "type": "esql", - "version": 2 + "version": 4 }, "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": { "rule_name": "M365 SharePoint Site Administrator Added", "sha256": "dd4667aa3346d5aaf3c34b89d393074ecf11bf0188f022df8a39f52ad5c089a9", "type": "query", - "version": 2 + "version": 3 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "Deprecated - AWS EC2 Snapshot Activity", @@ -7734,43 +7771,43 @@ "rule_name": "Suspicious Installer Package Spawns Network Event", "sha256": "10b68299303c79e2f3f73069791e5403b756335bc4d4d502987b6d7352fd276b", "type": "eql", - "version": 113 + "version": 114 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "e6d17410dec032b711ab184de223d6a66583d99ce4761d37339a5dfddd2d61d4", "type": "eql", - "version": 116 + "version": 117 }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "97c6179e37d6a79ce2058fadfe181ef06473676782811c2c2c42619d9ef9d70f", "type": "eql", - "version": 314 + "version": 315 }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { "rule_name": "Access Control List Modification via setfacl", "sha256": "14fa79860f040a253d5c11c72158206f1e5d8427bf093ceea28e56c485e5deb0", "type": "eql", - "version": 107 + "version": 108 }, "99ac5005-8a9e-4625-a0af-5f7bb447204b": { "rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query", "sha256": "a2d97fff1bd846c160d0686891ff780be940567b549646c42ea3501261c01f27", "type": "eql", - "version": 3 + "version": 4 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "rule_name": "Web Server Spawned via Python", "sha256": "310b1e61d9b41741178106b8ba4ed0c827b48f8a08a902c110a7820c4292770e", "type": "eql", - "version": 106 + "version": 107 }, "99c9af5a-67cf-11f0-b69e-f661ea17fbcd": { "rule_name": "Potential VIEWSTATE RCE Attempt on SharePoint/IIS", "sha256": "bb8b21db9e5d74586d51fb821124a37c98917348d26a72bccecddea93d210c28", "type": "query", - "version": 1 + "version": 2 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "9.4", @@ -7786,31 +7823,31 @@ "rule_name": "Spike in Failed Logon Events", "sha256": "6c2a61bfd4d95da96708ad6dd4ffad62c9111f9ab7950b025deef83d487990df", "type": "machine_learning", - "version": 208 + "version": 209 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security (Elastic Defend)", "sha256": "9a34f25056907f42962de240e218fc715885d5e29636b34368c1b817e89a3e25", "type": "query", - "version": 108 + "version": 109 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "rule_name": "Unsigned BITS Service Client Process", "sha256": "e5e1fcb9ece7005ef0bf2067c7f44e12d243276d89aa4b0a9100bfab5196ca5c", "type": "eql", - "version": 5 + "version": 6 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "rule_name": "Potential Shadow File Read via Command Line Utilities", "sha256": "e8efbccb131f12cbf2af6152d092d09160eccb18d0bf83fc5d299a3bb5ed419a", "type": "new_terms", - "version": 213 + "version": 214 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", "sha256": "df0048d2667b6c222cfdce393bfaed7e9c0b0ff9f393e1e2179394241e1acdf9", "type": "eql", - "version": 315 + "version": 316 }, "9a6f5d74-c7e7-4a8b-945e-462c102daee4": { "min_stack_version": "9.3", @@ -7826,85 +7863,85 @@ "rule_name": "Kubeconfig File Discovery", "sha256": "952491df2d553d81ac6123388594fb05d3495f6ad8592f77c734e2f8c1ec0938", "type": "eql", - "version": 104 + "version": 105 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "3810a0fccc9e811440eae244a951df04360e69e721dfcf8f30aa58e24469f983", "type": "eql", - "version": 316 + "version": 317 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", "sha256": "da64cc799df3d7b93ccb5ae04e3e099d02a697837a05f18e35f295b53e2747fb", "type": "eql", - "version": 10 + "version": 11 }, "9aeca498-1e3d-4496-9e12-6ef40047eb23": { "rule_name": "Suspicious Shell Execution via Velociraptor", "sha256": "6b99269e68808661c7b097b7da16cf8d7325e44f45bb3d3d2420dc40f42bcdd8", "type": "eql", - "version": 4 + "version": 5 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", "sha256": "8c4046c8e10aa286e834471735eccdfa372b1419bfbe3dfca6713b231951221e", "type": "eql", - "version": 211 + "version": 212 }, "9b35422b-9102-45a9-8610-2e0c22281c55": { "rule_name": "SentinelOne Alert External Alerts", "sha256": "68730c7058c78efbdb1fa839ed203894407fe046b9db371d79697927d04df699", "type": "query", - "version": 1 + "version": 2 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", "sha256": "374c1fe670e524331c98bbb4ec7592c692b262eb48d79de575d8a792ab4a3eb2", "type": "eql", - "version": 319 + "version": 320 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", "sha256": "08b7cbc1fe957a8e96b47412dde3a48dee6dd1c2196e026c8300003adc915044", "type": "eql", - "version": 10 + "version": 11 }, "9c0f61fa-abf4-4b11-8d9d-5978c09182dd": { "rule_name": "Potential Command Shell via NetCat", "sha256": "fe7066cb047e8fcd01978d0b3fa2b4907279ea0c61582379577178729366bd78", "type": "eql", - "version": 3 + "version": 4 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", "sha256": "2a3d34af24f45fc01ea0f0bcd3ba685e5a5caa3780e1818985ea77f40f1e9ffc", "type": "eql", - "version": 214 + "version": 215 }, "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { "rule_name": "Unusual Interactive Shell Launched from System User", "sha256": "9ece81aaee4ed5b034cf8a085367eaccce1145402d65119600ff18fed390a0d4", "type": "new_terms", - "version": 6 + "version": 7 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "19de9f9fc0e3eecf2d6c781ee13ed518693898c4ae017773ae00935a3c0461b8", "type": "eql", - "version": 115 + "version": 116 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", "sha256": "0c85320dda4c263897f73786db5f64709cee15a949bdeb737af5e0699732c8d8", "type": "eql", - "version": 7 + "version": 8 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "b196224da05961cc60a8e23ab01d266096b0a93b7052944f664f549754b8f810", "type": "eql", - "version": 315 + "version": 316 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "rule_name": "Google Workspace User Group Access Modified to Allow External Access", @@ -7922,37 +7959,37 @@ "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "81212b96cde03acf5a34ba614c8863dcc6824d7342a7a9bb0de627b78ae23a56", "type": "new_terms", - "version": 318 + "version": 319 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "a5a2120ba773b49b0c59e22922b4d05a1af99a127f4a6bdf1f9aee20e15bedcf", "type": "eql", - "version": 319 + "version": 320 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "c7e89da2a2aa3a6c364cad023a1d462109ad48931c034f3dbd9796b13a413f5a", "type": "eql", - "version": 220 + "version": 221 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "0982e8339b388a70826a63e397b5e247bacd15c4aa96fa2be11d965afd150e48", "type": "eql", - "version": 214 + "version": 215 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "42048d40cc9b676d20a7f287ad562321f8a39036183d95d04b769aebead1de85", "type": "new_terms", - "version": 321 + "version": 322 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "934d4f4f579d6487e86d38b573a7fedca4169097d8914b5859aedc7ba96931f5", "type": "eql", - "version": 212 + "version": 213 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading", @@ -7974,172 +8011,172 @@ "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "f8d8912ae2d8039dc804a4fb2851251923c29ebace475dcf20f4bd3b87bcc4fa", "type": "machine_learning", - "version": 207 + "version": 208 }, "9d312839-339a-4e10-af2e-a49b15b15d13": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Common Utilities", "sha256": "d0d094b1f3d2824d3f539e132c5573e5b8d9e94f113705086cb90fc35438b8dc", "type": "eql", - "version": 3 + "version": 4 }, "9d94d61b-9476-41ff-a8d3-3d24b4bb8158": { "min_stack_version": "9.3", "rule_name": "Tunneling and/or Port Forwarding Detected via Defend for Containers", "sha256": "f8be6f477a2da1a7d940956c6dbc04076b17f5ab491021aaa8b623554c49eae5", "type": "eql", - "version": 2 + "version": 3 }, "9e11faee-fddb-11ef-8257-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Authentication Type", "sha256": "c99ca37b4a4b58fb57cfc77836e72bbe603e86068b3ea86669df86ac64e69d76", "type": "new_terms", - "version": 8 + "version": 9 }, "9e5dbd3b-5e19-4648-a1cf-c2649c91b015": { "min_stack_version": "9.3", "rule_name": "Namespace Manipulation Using Unshare in a Container", "sha256": "e432f9cf681f15c99f6ef764b574776af1db178c2e2367382ffb482750acf8f5", "type": "eql", - "version": 1 + "version": 2 }, "9e81b1fd-e9fb-49a7-8ebe-0d1a14090142": { "rule_name": "Potential Password Spraying Attack via SSH", - "sha256": "3cbe10aca00d7c1efe266e506d7f5a7d57600ad6207ecce6d61f2bb650737630", + "sha256": "1539ca39127ce11bc3543aebcf5edbec20da6b9993011e23dc0e2dd1709d95c6", "type": "esql", - "version": 3 + "version": 5 }, "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": { "rule_name": "Potential SSH Password Grabbing via strace", "sha256": "c9bef573b3f690c4d008b46914f0168b42c2944eb1945c737c89d8a76e6f4aa4", "type": "eql", - "version": 3 + "version": 4 }, "9ebd48ac-a0e2-430a-a219-fe072a50146b": { "rule_name": "AWS CloudTrail Log Evasion", "sha256": "b08fe11bdf17d81c9516472a841db7993c175996a06773032ef7b92282f89ebc", "type": "query", - "version": 3 + "version": 4 }, "9ed5d08f-aad6-4c03-838c-d686da887c2c": { "rule_name": "Okta AiTM Session Cookie Replay", "sha256": "39164513ba294600eae6f1e6a7d5ac56cf28a69c5d48983ffe6a3f7ce5639f99", "type": "esql", - "version": 3 + "version": 4 }, "9edd000e-cbd1-4d6a-be72-2197b5625a05": { "rule_name": "Suricata and Elastic Defend Network Correlation", "sha256": "2ab8e7a7800653b9e37968900393df0f9f2f5d33441573121f0280acbe34c2cd", "type": "eql", - "version": 4 + "version": 5 }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", "sha256": "b33c684120dc6f9e6274cf518cc990c7730ed0e47045a4cb79d4cf11bb098b76", "type": "esql", - "version": 10 + "version": 11 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", "sha256": "22b08b978d2a7ffdaf6487814a21eac8a8b3882f05c0c72938e5ada70b2f223d", "type": "eql", - "version": 9 + "version": 10 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", "sha256": "de326157f887fe153178406c21d4c6d5b7083d7b37989d95fbe88cc3b47cf107", "type": "eql", - "version": 216 + "version": 217 }, "9f420cca-cb27-44db-a13d-c43c7b48e04a": { "rule_name": "Kubelet API Connection Attempt to Internal IP", "sha256": "cca84cb2c6da4a05157e5d1e018a7bbe95a35bd604d0a3b76740a644e6330382", "type": "eql", - "version": 1 + "version": 2 }, "9f432a8b-9588-4550-838e-1f77285580d3": { "rule_name": "Dynamic IEX Reconstruction via Method String Access", "sha256": "a51bf01a5df76390c908b50a4a9b7c3fb2cdad0ed9c8e0c55d50b16b67c240d7", "type": "esql", - "version": 12 + "version": 13 }, "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f": { "rule_name": "AWS IAM Long-Term Access Key First Seen from Source IP", "sha256": "427dd26601fe597a174af7d832b94eb1a8f5786d002b426dd2946745d63601c8", "type": "new_terms", - "version": 2 + "version": 3 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", "sha256": "9c42ae537b615ded60d491c0690bcaa728c5fe70c54e4d67b5d0a21a63b88776", "type": "new_terms", - "version": 221 + "version": 222 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", "sha256": "d93040becd8bbf8f42f58453634aae7a7ea3e2544497b11c5ebe435f07c4b01b", "type": "new_terms", - "version": 216 + "version": 217 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "8795f294df2824f66b4130cdff5d174717d9981c7dd6f859e37bbcb28b3c398b", "type": "new_terms", - "version": 319 + "version": 320 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "rule_name": "Unusual Scheduled Task Update", "sha256": "c67025ab0d89afff2e717de898cb55d5689c8aad67826167a03b0cd4c9bc284b", "type": "new_terms", - "version": 118 + "version": 119 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", "sha256": "e33dee9e1e0472fe7b4bb95a33a85484750138d145fa1fd68bad0ec533d1e2db", "type": "eql", - "version": 9 + "version": 10 }, "a0fbd7a9-1923-4e05-92df-b484168f17bc": { "rule_name": "Sensitive File Access followed by Compression", "sha256": "4229ab56c54c29e2fee1021f6509406944d50803d252c497dd310d99fed68335", "type": "eql", - "version": 2 + "version": 3 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "b7563d73159d22dee91b57c70d5c21d5a8a4e1bda6dac44d4d928cd855957b07", "type": "query", - "version": 110 + "version": 111 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", "sha256": "e62636c003eda020e0336d2bf353771df79401bc70067f267bf5059c2bce00dc", "type": "eql", - "version": 212 + "version": 213 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", "sha256": "5efdf2a253cb05a0a0e2d843c94d7196d97edc860d48285c4275b8aa17f1887f", "type": "eql", - "version": 216 + "version": 217 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "253c914e9293edebec6c7faf581b9cef1faa6bab72fc5ae1ce5284af5d7a0a04", "type": "eql", - "version": 213 + "version": 214 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "015324413a84362600add02b8df771116af2de4f119d3868ab9425704251e0d8", "type": "eql", - "version": 215 + "version": 216 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "5c9184b7bbce98b4980ceaaf2d6c8d70b16c21ace2d1ecb51d7c6cfb7050a0dc", "type": "query", - "version": 109 + "version": 110 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", @@ -8151,85 +8188,85 @@ "rule_name": "Potential Reverse Shell Activity via Terminal", "sha256": "1933279eb0a1f69eecd6e4e705790232b200372e83e832ecfb52e1319e301f5e", "type": "eql", - "version": 112 + "version": 113 }, "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d": { "rule_name": "Azure Storage Account Deletion by Unusual User", "sha256": "352c5821d7eca95826730550a43559e960148a7696f8b66ee023fbedc192978c", "type": "new_terms", - "version": 2 + "version": 3 }, "a1b2c3d4-e5f6-4789-a0b1-c2d3e4f5a6b7": { "rule_name": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity", "sha256": "c3bf694ddbb0183b499e816bed860e55e57086d6f8bee87f6eead524f76a96ff", "type": "esql", - "version": 1 + "version": 2 }, "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": { "rule_name": "Potential Account Takeover - Logon from New Source IP", "sha256": "3eb049e7a57e256acae41fb8b3da9603ace0b0d8167ea059564a83f64cc7a5b2", "type": "esql", - "version": 3 + "version": 4 }, "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": { "rule_name": "Entra ID Protection Admin Confirmed Compromise", "sha256": "54a26dec737e913d13398210e60b5e0765bc4f57976293f5c9666910f23ef99a", "type": "query", - "version": 3 + "version": 4 }, "a1b2c3d4-e5f6-7890-abcd-ef1234567890": { "rule_name": "GenAI Process Connection to Suspicious Top Level Domain", "sha256": "c597b499c50eebdee9b57239e803b09995c9099b189f7337ed6bc1c272e861ea", "type": "eql", - "version": 1 + "version": 2 }, "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": { "rule_name": "Web Server Suspicious User Agent Requests", - "sha256": "f069dfa7e85bd95eea645793c221cb5329e75544f6b1b6646cc55a104a95ee7f", + "sha256": "a833ee4b7c19641ca3daf264579b87d14ec90f03abffd847f896dfa9a226465c", "type": "esql", - "version": 5 + "version": 7 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", "sha256": "d0040002c9b7c60e5e303893dd4a5ca29f8df89596c3191f76c6af9d7d2eaf06", "type": "eql", - "version": 11 + "version": 12 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "1094a50c56d7017e3b7cacacb46da4f3f742a1927fcbbd986b23e9f2cb7b8632", "type": "eql", - "version": 317 + "version": 318 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", "sha256": "8ee49a67c0bedcc25c790e6d57a0835f5748dc89b35eb4dd6c0736231edeace1", "type": "new_terms", - "version": 6 + "version": 7 }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", "sha256": "6935a7b9fd5f67e312b06f45233bc7e9e6e832dc3f93a9c0b1f84cb7624bb384", "type": "new_terms", - "version": 8 + "version": 9 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", "sha256": "8ffc100a7b1d4ce6518d28c266f7b80ca1898c4505645909bdfea0f8f22ac297", "type": "query", - "version": 112 + "version": 113 }, "a2951930-dd35-438c-b10e-1bbdc5881cb4": { "rule_name": "Kubernetes Cluster-Admin Role Binding Created", "sha256": "e69d0cfdb03d64b04b04b0301086a748d32f13d2f828a3b71177061780ee9f68", "type": "query", - "version": 2 + "version": 3 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "rule_name": "PowerShell Mailbox Collection Script", "sha256": "55d54469459e3e10c63d48e5b841cec3199fb5050e041092c06301b26217a960", "type": "query", - "version": 113 + "version": 114 }, "a300dea6-e228-40e1-9123-a339e207378b": { "min_stack_version": "9.4", @@ -8245,31 +8282,31 @@ "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", "sha256": "a296f2e27d0d4e3f4f6c7ab90fc49f8f4a0b4c14d49775288666a234e4b403b2", "type": "machine_learning", - "version": 104 + "version": 105 }, "a337c3f8-e264-4eb4-9998-22669ca52791": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected", "sha256": "c842a49d9921b27647b6349ad118e5d70cd985461f2b819bf9fa5f5a4a11bae3", "type": "esql", - "version": 2 + "version": 3 }, "a3cc60d8-2701-11f0-accf-f661ea17fbcd": { "rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client", "sha256": "38c9a1b455477aee830f90a89dae1d703f545c3d857cf4262153a23b2e0c80ba", "type": "new_terms", - "version": 6 + "version": 7 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", "sha256": "45e496a5db75cfaeacfff862a81984feb874e83dda47302b806b3018d6b902b8", "type": "eql", - "version": 315 + "version": 316 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", "sha256": "7f99f097bb57ddc1941d88331bcbee883d0ab39981bc2f9b36b90e3de2a4f6ed", "type": "eql", - "version": 4 + "version": 5 }, "a4b740e4-be17-4048-9aa4-1e6f42b455b1": { "min_stack_version": "9.4", @@ -8285,19 +8322,19 @@ "rule_name": "Spike in GCP Audit Failed Messages", "sha256": "0293cbc3c1b896acdee5fb53bfe925958fc9d5ec773806a13d9e468e89a65005", "type": "machine_learning", - "version": 101 + "version": 102 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "494c2ead2012b6ac1746c05e790ae1b33e01a2c4944d8d5ceea9b180635be2eb", "type": "eql", - "version": 114 + "version": 115 }, "a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a": { "rule_name": "Kubernetes Secret get or list with Suspicious User Agent", "sha256": "e46a2fbbff2a97fc224bcfc204b6da19f6797f396c7f45d04837c9c0e237ffc6", "type": "query", - "version": 1 + "version": 2 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -8309,7 +8346,7 @@ "rule_name": "Suspicious SolarWinds Web Help Desk Java Module Load or Child Process", "sha256": "76d59e79f3babe6154c71460acf4fda53d270601b8e4aef05258ca8d78e64833", "type": "eql", - "version": 3 + "version": 4 }, "a52a9439-d52c-401c-be37-2785235c6547": { "min_stack_version": "9.3", @@ -8325,7 +8362,7 @@ "rule_name": "Netcat File Transfer or Listener Detected via Defend for Containers", "sha256": "7e3bfec1c4781db2d7417c710ec2883216a3b33ff5bfd0292f1c72cf76b48f18", "type": "eql", - "version": 105 + "version": 106 }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary", @@ -8337,7 +8374,7 @@ "rule_name": "Potential Reverse Shell via UDP", "sha256": "682586bdb044ed6ab9f2d86aa3803980638ce1756f871292eca8c0f20adae25e", "type": "eql", - "version": 12 + "version": 13 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -8359,19 +8396,19 @@ "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "527325250cfdd394de8beb2562d3f3d0b44210d85cdfb77b26cfbcbb2c56a852", "type": "new_terms", - "version": 317 + "version": 318 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Entra ID PowerShell Sign-in", "sha256": "5d891782faacde7c072c3f8e3819b0e10c0932cbea16e27587b86081ee4e243e", "type": "query", - "version": 110 + "version": 111 }, "a6129187-c47b-48ab-a412-67a44836d918": { "rule_name": "M365 Azure Monitor Alert Email with Financial or Billing Theme", "sha256": "34085bc10fd883d07e4593354c15c2b5a740f637f8f8a0dac8b18c02556d89dc", "type": "esql", - "version": 2 + "version": 3 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", @@ -8383,49 +8420,49 @@ "rule_name": "Suspicious MS Office Child Process", "sha256": "61beceda1e8d0cc9099934a9ad0a0bcae06126b1650941b03a8b4e36c8c1f191", "type": "eql", - "version": 320 + "version": 321 }, "a640ef5b-e1da-4b17-8391-468fdbd1b517": { "rule_name": "Execution via GitHub Actions Runner", "sha256": "ea34a8cd8b428ffac29baa616dc58a516e9d24a3ae30c3525c5fdf5478d1bc34", "type": "eql", - "version": 3 + "version": 4 }, "a643e6b8-ba2a-45f1-8d71-d265bfe2ae43": { "rule_name": "Kubernetes CoreDNS or Kube-DNS Configuration Modified", "sha256": "f9ac0a1ac302dd70ac23d1538d11ac1c49b802df8e0e9d47ce6c2e8c10627cb7", "type": "query", - "version": 1 + "version": 2 }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", "sha256": "6ce6628461a895263040879ad1dfccf958216ebc96b9c795d5b3ce688836c641", "type": "eql", - "version": 7 + "version": 8 }, "a68da7d6-7eab-45bd-97c5-93b469c0706e": { "rule_name": "Shell History Clearing via Environment Variables", "sha256": "947c4f4f578b77ec8de5b9313a87559740ab6d5272631cd859175d57e2c06c80", "type": "eql", - "version": 1 + "version": 2 }, "a698a653-e144-4e40-bade-35135935be45": { "rule_name": "Kubernetes Static Pod Manifest File Access", "sha256": "431eacdea1a3b80fdcde70fa178d5c24b34efa54a40431c2e2192ee86222d548", "type": "query", - "version": 1 + "version": 2 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", "sha256": "0aef85561df73b765eb845f8de00dd44020df10da07314fb87273d339f48199e", "type": "eql", - "version": 113 + "version": 114 }, "a6d4e070-b9b9-4294-b028-d9e21ad47413": { "rule_name": "Entra ID Protection User Alert and Device Registration", "sha256": "310fb191964cd8a1481bfde5eabce117f3b6e1f1134007c7bb846f0d233c50c7", "type": "eql", - "version": 4 + "version": 5 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "min_stack_version": "9.4", @@ -8441,125 +8478,125 @@ "rule_name": "High Mean of RDP Session Duration", "sha256": "0cf7caa172c255e31f5dcf206ca1101b180773c822559efef5ad87fde3d2d054", "type": "machine_learning", - "version": 109 + "version": 110 }, "a750bbcc-863f-41ef-9924-fd8224e23694": { "min_stack_version": "9.3", "rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers", "sha256": "31e7a49e77598252a554c7de32610e73a9bcd249edd8f11c4d792f3e14f2916d", "type": "eql", - "version": 3 + "version": 4 }, "a7577205-88a1-4a08-85d4-7b72a9a2e969": { "min_stack_version": "9.2", "rule_name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal", - "sha256": "b08945299b2979bc5b4cb397789d41998ee6fc5b71db51bfe41012ad68ba8e2b", + "sha256": "286a9fdb00de50fa7f9737c72f2b6e1017d20eaa821798e5b202732ffb6ed218", "type": "esql", - "version": 3 + "version": 5 }, "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "rule_name": "Execution via OpenClaw Agent", "sha256": "a9fb3ddbff42c0d57d6e0002f0d6155ea00cf381999b2af63577940aa8776c47", "type": "eql", - "version": 4 + "version": 5 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "9a80dda429d15a1d127b965b832c36ae3ecc37b8d11e618da12fd5c3d7c2d9db", "type": "eql", - "version": 118 + "version": 119 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "09188e85df6c935a817c69aff47b5bb33c503487e0fb04907d556b52211719f9", "type": "eql", - "version": 317 + "version": 318 }, "a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": { "rule_name": "M365 Purview Security Compliance Signal", "sha256": "d963fc1b077051067a8bc042f00ec72e4f00312ac6bc459bfacda7b80c2b9ec4", "type": "query", - "version": 1 + "version": 2 }, "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": { "rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User", "sha256": "26c16152fd28558423e9c60d5393ad5482ec38ef5492aeb15ecfb8587231fddc", "type": "eql", - "version": 3 + "version": 4 }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", "sha256": "a43c4cce90f10259b7f083ff5adbd8eca3f9cc3b122406f30ace77a409419d1b", "type": "new_terms", - "version": 7 + "version": 8 }, "a80ffc40-a256-475a-a86a-74361930cdb1": { "rule_name": "AWS IAM SAML Provider Created", "sha256": "8d2440f5b8111e88075595c64071b426a241d0e78819f05d6c66caeca7046f04", "type": "query", - "version": 3 + "version": 4 }, "a8256685-9736-465b-b159-f25a172d08e8": { "rule_name": "Suspicious Curl to Jamf Endpoint", "sha256": "c823ebf0672517c8ed1929f4379c1fac131417b4c0dca9ef94e1dea1560ad82a", "type": "eql", - "version": 2 + "version": 3 }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker", "sha256": "84fcc460d0f329b6494b2756d4cb004798d5c54d8f76ee6b19ac2b149fc59a3a", "type": "query", - "version": 8 + "version": 9 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "5477bb1770d6318e393bcc2afa8bb0beb8c77aa1af475f245c7cb193b9f51338", "type": "query", - "version": 105 + "version": 106 }, "a87d49f0-24ae-4d6e-a0b4-5fd2f6188d6a": { "min_stack_version": "9.3", "rule_name": "Kubectl Secrets Enumeration Across All Namespaces", "sha256": "c380ca5eff3db9572f02a9c429106de2ea18f096aa7e9f0b4a7d3bcfd1d5e7b6", "type": "eql", - "version": 2 + "version": 3 }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { "rule_name": "Authentication via Unusual PAM Grantor", "sha256": "f46594fa786a8d96dc492f49de6a09e7c4bf69b2f8f6bba7fc371fe01c0140c3", "type": "new_terms", - "version": 6 + "version": 7 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", "sha256": "b083c7c924a0947dc0048039147a36632af5a70ced0a58b91f8d089faa8cf44f", "type": "eql", - "version": 9 + "version": 10 }, "a8b08d2d-6dfe-453f-87d1-11d5fc3ec746": { "min_stack_version": "9.3", "rule_name": "File Download Detected via Defend for Containers", "sha256": "dd24216e43c8d2d97f235518778ef26185e2277d713a56fc385c92a5ed05305b", "type": "eql", - "version": 3 + "version": 4 }, "a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": { "rule_name": "Newly Observed ScreenConnect Host Server", - "sha256": "42aea7c755e89c2bd3dc07f143d1900120f97192aa9e1d3400c34f98c42e26eb", + "sha256": "901d5325cdc68d1b37b24db1c28a0f7dcfcf2f864f57b82f4daa589f16989ef5", "type": "esql", - "version": 3 + "version": 5 }, "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { "rule_name": "Azure Storage Blob Retrieval via AzCopy", "sha256": "4cafd5b1d72e9099750d39514142a06221336044dc6ab66d5df8acf39358c552", "type": "new_terms", - "version": 3 + "version": 4 }, "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": { "rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand", "sha256": "55145a5b782b65b05f5834f544ec591950f607a59669ef53b3cf1cd0dfce7950", "type": "esql", - "version": 4 + "version": 5 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "min_stack_version": "9.4", @@ -8575,19 +8612,19 @@ "rule_name": "High Variance in RDP Session Duration", "sha256": "3f9e29581657650330798e93e0d4b843c0de67a256b30133da018e49aca461f2", "type": "machine_learning", - "version": 109 + "version": 110 }, "a8e7d6c5-b4a3-2918-0f9e-8d7c6b5a4032": { "rule_name": "Kubernetes Pod Exec Cloud Instance Metadata Access", "sha256": "19051cb2a65f548b54771af0f577af7e2eb44f76107957bf272b6015313fe25b", "type": "esql", - "version": 1 + "version": 2 }, "a8f3c2e1-4d5b-4e6f-8a9b-0c1d2e3f4a5b": { "rule_name": "AWS IAM Sensitive Operations via Lambda Execution Role", "sha256": "722248fbd97f34880ac46f44b6881220135ab96b0ffbff1f45977226ab809dde", "type": "query", - "version": 1 + "version": 2 }, "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { "min_stack_version": "9.4", @@ -8603,13 +8640,13 @@ "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", "sha256": "8a3a0a541278d7abc6675acd56413d6d3ec869a0bebfb0ef0bbb8f846c5adfc5", "type": "machine_learning", - "version": 104 + "version": 105 }, "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": { "rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt", "sha256": "a60f77fb20413deff742fb48c1ef902bdd8a712ed6eacc619eceaf824f93bfbe", "type": "eql", - "version": 1 + "version": 2 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -8621,31 +8658,31 @@ "rule_name": "M365 Exchange Email Safe Link Policy Disabled", "sha256": "6b995af6f7a66f483caeb7f4b0ed5e4fbce766890078ac36b73135b287bebc97", "type": "query", - "version": 213 + "version": 214 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", "sha256": "ab5be5778aeb2192c5a6b094c17c63ba6bec949da499eff193f5208975a9bf86", "type": "query", - "version": 210 + "version": 211 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "968e5d19c19da327582404a25be9dadac756379a58bb515651ea70f93c0059c5", "type": "eql", - "version": 216 + "version": 217 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "165337503847ed379edc1c1e54e7503406682e6849717aa2668355066215f1c6", "type": "query", - "version": 110 + "version": 111 }, "aa1e007a-2997-4247-b048-dd9344742560": { "rule_name": "Script Interpreter Connection to Non-Standard Port", "sha256": "e45fd015a2a23f9dae370bf76c6835579ef979403f82f2256fcf2c71dadae0e8", "type": "eql", - "version": 2 + "version": 3 }, "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": { "min_stack_version": "9.4", @@ -8661,31 +8698,31 @@ "rule_name": "Spike in Group Lifecycle Change Events", "sha256": "65061d6e84d85ff3f20ca8420b9fb9f8bad47f3264055c2fd6c4347a74673750", "type": "machine_learning", - "version": 104 + "version": 105 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", "sha256": "08a46011d52f72f80b008709b145d97420698886ef6cd771ecba32a0ed3ac316", "type": "query", - "version": 109 + "version": 110 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", "sha256": "7633b03ab034572bab063198511ae4e111488b09f58f32812662c42da32b9762", "type": "eql", - "version": 218 + "version": 219 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", "sha256": "6044bf376ccf04ea41cce6830f9e16bb0e4e844f7476ebbddb782cf23d5f3dc4", "type": "eql", - "version": 218 + "version": 219 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "rule_name": "Veeam Backup Library Loaded by Unusual Process", "sha256": "40212eadfc73ddc6d9f2fba89b444a4f0646b6c991c6f16e3b33e61216bb6cda", "type": "eql", - "version": 6 + "version": 7 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", @@ -8697,43 +8734,43 @@ "rule_name": "GRUB Configuration Generation through Built-in Utilities", "sha256": "27610c9d7787e7f52bb7ead9aef37e9fb044dd6430bbe3d6769401682fde8596", "type": "eql", - "version": 6 + "version": 7 }, "ab25369e-ea5e-46f1-9cd5-478a0a4a131a": { "rule_name": "Multiple Elastic Defend Alerts by Agent", - "sha256": "ca36982b65f983afbd58ef8087bb1e67f1468ce5ff36888897cfda5e08b2e4f6", + "sha256": "ca121c6714b6416e730ad49c7313f25c4b680f8b38b6332271edb1a8590278c9", "type": "esql", - "version": 2 + "version": 3 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", "sha256": "800ec5ed633507891479b778135ca7c8a5269e65744649d1d8a0ea40408dc5d7", "type": "eql", - "version": 123 + "version": 124 }, "ab7795cc-0e0b-4f9d-a934-1f17a58f869a": { "rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)", "sha256": "9eb2c45dfa3291e5f9ceaf2caf261fbed05150c8688cdfc93f3c7731b5759f90", "type": "eql", - "version": 3 + "version": 4 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "8ccdf67f1d4b379fa6cc68be39217c56969856cc4f90870f049c0942c6268d93", + "sha256": "f78746bec8d16f8e147c24b40af66562e1041ebecef503a061a778bfb53da5c7", "type": "esql", - "version": 12 + "version": 14 }, "ab9a334a-f2c3-4f49-879f-480de71020d3": { "rule_name": "Unusual Library Load via Python", "sha256": "7a0ef5b6fa33fef315d70305319e2f28b52ecf4bcd373708a98ffb1312146928", "type": "eql", - "version": 2 + "version": 3 }, "aba3bc11-e02f-4a03-8889-d86ea1a44f76": { "rule_name": "Perl Outbound Network Connection", "sha256": "1199004d18d11cefa9e43650db5c565969e006d67b5da5d7cb5ec77c33114b01", "type": "eql", - "version": 2 + "version": 3 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "9.4", @@ -8749,49 +8786,49 @@ "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "9a73061513a45d35de86697c4b677a0b2e5dbc1f1d9a84b7f5d0d24234dda985", "type": "machine_learning", - "version": 310 + "version": 311 }, "abb7bc31-b865-4318-80a9-b9ee4edd57b6": { "rule_name": "Kubernetes API Request Impersonating Privileged Identity", "sha256": "47ddae266a654e4f71a1b66785569f16e1d60655d17563fb566a4b2b10259462", "type": "query", - "version": 1 + "version": 2 }, "abc7a2be-479e-428b-b0b3-1d22bda46dd9": { "rule_name": "Google Calendar C2 via Script Interpreter", "sha256": "cd3aac05b993742d0c467053b7548c79623f2da5a4d979c6abe448b797d3411c", "type": "eql", - "version": 2 + "version": 3 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", "sha256": "3458d345ab11b49c4e091f9cf2f1b6535e27e905407265f7ac9aef9dfb91564b", "type": "query", - "version": 112 + "version": 113 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", "sha256": "f72e495d77718926a77986259bf53a198b1fd96ed96ead06aa95fc1b3bb9cd6d", "type": "eql", - "version": 420 + "version": 421 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "rule_name": "Git Hook Created or Modified", "sha256": "d613f940d2dddc9dad9333b8188f60d43dc30443a11f82c3821da4d4ac7cf4f7", "type": "eql", - "version": 108 + "version": 109 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "rule_name": "Outlook Home Page Registry Modification", "sha256": "3453811ef45dfeac70ddf054126131c00f9dc9bc32ded269570d7ed0d3c660f1", "type": "eql", - "version": 209 + "version": 210 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "rule_name": "WPS Office Exploitation via DLL Hijack", "sha256": "cef314234586cf1545f7d707ad192fd03d3e953b281e604e680f99949ed7e97f", "type": "eql", - "version": 106 + "version": 107 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "9.4", @@ -8807,7 +8844,7 @@ "rule_name": "Unusual AWS Command for a User", "sha256": "39f69f2d45fbc7e8dc0ec930f3b66d28754b3502bea0b2b1b8d0a8b7a229d199", "type": "machine_learning", - "version": 313 + "version": 314 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server", @@ -8819,37 +8856,43 @@ "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "3f9b5483fae2eb0413c7c38ead3683419d62efc4ed179f45151f5383ccff6ef4", "type": "query", - "version": 216 + "version": 217 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", "sha256": "72223005ab05d709e4988e024d34920e78f0de89f73f36f865dace15179a2abc", "type": "query", - "version": 211 + "version": 212 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "5df363ed16d64f340d500cc7c16cf64ac44edbe112391910d8559bcf4cfeede5", "type": "eql", - "version": 111 + "version": 112 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential macOS SSH Brute Force Detected", "sha256": "2a62d8689df1b549f8a9709b36bddcac030fbf8715e6fe481ec8e8b5434ef6e8", "type": "threshold", - "version": 113 + "version": 114 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "6e6fcdde0fee19516c1e5836d84451a1720fa05f69d37486795cb309731a5d0f", "type": "eql", - "version": 315 + "version": 316 + }, + "ad02da2f-443d-454c-a12e-d9e6c65831ff": { + "rule_name": "Suspicious Instance Metadata Service (IMDS) API Request", + "sha256": "6c885b8eac41827738f3fcbe182e4d52efd637f9afbb89701b80b0778c1b3a5a", + "type": "new_terms", + "version": 1 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "b2f6c9bec79b6a35c9205b12fefba6eea6a3d58cc512e07f94ff0aedc61f79d0", "type": "eql", - "version": 317 + "version": 318 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -8861,13 +8904,13 @@ "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "c7bbefa6cd24512e29b52401dd4e13dae67b32db59c469837cc5157d7fb8f7ad", "type": "query", - "version": 210 + "version": 211 }, "ad5a3757-c872-4719-8c72-12d3f08db655": { "rule_name": "Openssl Client or Server Activity", "sha256": "8ee09f0722e3d4094b5116fcd3ccdf47c8466d3dedaf45a2bce8131e571a5590", "type": "eql", - "version": 108 + "version": 109 }, "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": { "min_stack_version": "9.4", @@ -8883,157 +8926,157 @@ "rule_name": "Decline in host-based traffic", "sha256": "a9db6c29e8b8c460f4f349d40a9db66f98d86d48043a2c992b7cb77ae0d82c0c", "type": "machine_learning", - "version": 105 + "version": 106 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "51d7f733e3374dcbe3976ae51a6bc313af267acc5db56d25e523260a910d942b", "type": "query", - "version": 217 + "version": 218 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "7e0e9edcd353321915ab04263138fc1a2c2cd6827c51ba0fe5874b5472b53d0f", "type": "eql", - "version": 111 + "version": 112 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "rule_name": "Suspicious APT Package Manager Execution", "sha256": "750bf0616ef3c52e7f9c6631ec3e3cfea69beba6673151f2e6c6e12bd6e124ca", "type": "eql", - "version": 111 + "version": 112 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "File Transfer or Listener Established via Netcat", "sha256": "9a8cd6f888fb568bcebde8a607523abff1e1b5f2093b48a188b2627cf7128d9f", "type": "eql", - "version": 216 + "version": 217 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", "sha256": "25f56d2f9491f0092ef37953f27c85ac8fb17360040a148f54492118de0a5e17", "type": "eql", - "version": 14 + "version": 15 }, "ae32268b-bfd0-4c35-b002-13461b5830ca": { "rule_name": "AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN", "sha256": "16982d441cf7c3bd9a76f4382a9c20f7c5a0b6c0d541357c5d9ee793ea06855f", "type": "query", - "version": 1 + "version": 2 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "rule_name": "Suspicious File Creation via Kworker", "sha256": "6e872d7e24f0c0631132efe9f516b618480f9f40705f831a449c368918b4bb77", "type": "eql", - "version": 111 + "version": 112 }, "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b": { "rule_name": "Suspicious React Server Child Process", "sha256": "8fc6e17b6f87f1749ad3b2ec19e38059ad1d2b55818befec965af351912cd17d", "type": "eql", - "version": 3 + "version": 4 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "883090677565ee7aa2d93b1e7f79a7aa9d9ea846e70568a4cba3893649ac00bd", "type": "eql", - "version": 211 + "version": 212 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created by Previously Unknown Process", "sha256": "178fb249bd43c2383b67d1411b9fb257d092c368cea0ac05d03be5b785d42606", "type": "new_terms", - "version": 15 + "version": 16 }, "aeebe561-c338-4118-9924-8cb4e478aa58": { "rule_name": "CrowdStrike External Alerts", "sha256": "037f1bbd2a34edbd83be30b5fe879ea4147544e216a7ecf2e0337b876b72ec45", "type": "query", - "version": 2 + "version": 3 }, "af1e36fe-0abd-4463-b5ec-4e276dec0b26": { "rule_name": "Linux Telegram API Request", "sha256": "0a3c43255d3c95aedd0f97b4e22701b135b6b447294478eeb2109f17a773414d", "type": "eql", - "version": 5 + "version": 6 }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "Entra ID OAuth Device Code Grant by Unusual User", "sha256": "4fc095fc9ea36c19a1fb10bbbbccdb154cdd62f352e4dae8ea2ae5159c322f82", "type": "new_terms", - "version": 10 + "version": 11 }, "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": { "rule_name": "Okta Alerts Following Unusual Proxy Authentication", "sha256": "654269218ea4d36e4c6c44c897f0d1045a8e3958ec8ada141505606d41445514", "type": "eql", - "version": 3 + "version": 4 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", "sha256": "7d10e6efd142a09f199ae3461997c14ec7ea789aa43adcd41b7177e7664189c9", "type": "eql", - "version": 10 + "version": 11 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Creation", "sha256": "29f6f4c86ee173e96f81e6df15192dbe3420e73d4bde62a8efc9a4a338676008", "type": "eql", - "version": 213 + "version": 214 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", "sha256": "c7ba64794076705bc9730b99d67877072cc6f9ae46d2bea1a55cc73dab2a3ebc", "type": "eql", - "version": 12 + "version": 13 }, "afdca1e0-0f8a-4fcf-9e1e-95e09791e3cd": { "rule_name": "Curl Execution via Shell Profile", "sha256": "90ee59b3a454a03021437f01fc2442fd3503fe941f69d4a9b7fda0d1ca4af237", "type": "eql", - "version": 2 + "version": 3 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", "sha256": "7f9907f21f21b24e6aac00e4e7706f5dbc9c8ab5891e9ece18d88f30aaec68da", "type": "eql", - "version": 11 + "version": 12 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", "sha256": "4fd7e132e755404d1ae3176095c943d11912cc430d74e29e24622bf7b9118cf2", "type": "eql", - "version": 110 + "version": 111 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", "sha256": "2de0c7e6afc5a090ed826fbef600250fcaf3386d0dea5229916795bef6153462", "type": "eql", - "version": 111 + "version": 112 }, "b0450411-46e5-46d2-9b35-8b5dd9ba763e": { "rule_name": "Potential Denial of Azure OpenAI ML Service", - "sha256": "d051b64ad0087c58738ea692d5e4f34df38958811cba31ac68d403b214bdfb77", + "sha256": "c1ef34302dc9874b98d408675be77d3bbd72765a0566a6b19735cd3f44abfcf7", "type": "esql", - "version": 5 + "version": 7 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "rule_name": "Netsh Helper DLL", "sha256": "b7f6e527b15faa58aea7339a5470321f39e1884c6936aae54c724743a99b9b66", "type": "eql", - "version": 208 + "version": 209 }, "b07f0fba-0a78-11f0-8311-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Web Service", "sha256": "8dee5585853fc2cc29d0a3fa86c34646de7bc439f3082c135445169f367d5ede", "type": "new_terms", - "version": 6 + "version": 7 }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", "sha256": "e448d9b59d2f49b4c015b5980d16a6a35c92a493127292ce515a5a6d268491f6", "type": "esql", - "version": 11 + "version": 12 }, "b11116fd-023c-4718-aeb8-fa9d283fc53b": { "min_stack_version": "9.3", @@ -9049,19 +9092,19 @@ "rule_name": "Kubeconfig File Creation or Modification", "sha256": "c170db655cc983bc2f7399ca8f83b883daa93945d755cb705d587cfed18454bf", "type": "eql", - "version": 104 + "version": 105 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { "rule_name": "Hidden Directory Creation via Unusual Parent", "sha256": "a716f97119f1a7d01b1d42ed01f50aa1449a2b0330b185499e04caa530245f62", "type": "eql", - "version": 106 + "version": 107 }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", - "sha256": "e961ffee8a9b22251e73628ba1a1675421a7f04f8279b096b29fa3ec412f31c1", + "sha256": "fe2dd63b825311ec149f4abbb7a2b4ac98755b8186de5519e40c46a42669e1c2", "type": "esql", - "version": 7 + "version": 9 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -9073,73 +9116,73 @@ "rule_name": "Potential Network Share Discovery", "sha256": "d7a2f1e37fdf49243ac43e4049ebc1395e41378971a27a1bbc4df975c9ac465a", "type": "eql", - "version": 110 + "version": 111 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", "sha256": "6f5749f79295a76dfb8b39ad7c7cd307890d4e6907b1978e040776de3c977e5b", "type": "machine_learning", - "version": 108 + "version": 109 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", "sha256": "9cbdcf3fafd22659be1b5e8eea827bb8893cc7512c49d88c46dd4cde92880ee2", "type": "eql", - "version": 218 + "version": 219 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion", "sha256": "34ec15b2762501830ba72e2159a10d9fa8710df212375f979160411eb08ffcb5", "type": "query", - "version": 213 + "version": 214 }, "b29b7652-219f-468b-aa1f-5da7bcc24b03": { "rule_name": "Potential Traffic Tunneling using QEMU", "sha256": "3bed4972669528914c4056e133fe899c9b4d6e66d957bce8d06c418ce3f1a32e", "type": "eql", - "version": 3 + "version": 4 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", "sha256": "df2d7525dd2d1f86cbcda0b5d9da2f2a62195e24e8a9a26ea63b47ecc7a2a7d4", "type": "eql", - "version": 214 + "version": 215 }, "b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": { "rule_name": "Azure Storage Account Deletions by User", "sha256": "9f4fc0bbadb6f42109d9f6264472caa5cfbd9ae6935c6b3e0a098c00ede91f06", "type": "threshold", - "version": 2 + "version": 3 }, "b2c3d4e5-f6a7-4890-b1c2-d3e4f5a60789": { "rule_name": "Kubernetes Pod Exec Sensitive File or Credential Path Access", "sha256": "06fbcbacaf9ae7b1d3578891aa86583861c48ccca12f5861d9996f25a84552a7", "type": "esql", - "version": 1 + "version": 2 }, "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": { "rule_name": "Potential Account Takeover - Mixed Logon Types", "sha256": "fec263f1a8e25a341fbc4d919058aefe36ed0aa33d27a7bef776cc039a301126", "type": "esql", - "version": 3 + "version": 4 }, "b2c3d4e5-f6a7-8901-bcde-f123456789ab": { "rule_name": "GenAI Process Compiling or Generating Executables", "sha256": "fcd00363e060ee80ac289741c1c9004fa4bbe11c759b50769070b13d5466008b", "type": "eql", - "version": 3 + "version": 4 }, "b2c3d4e5-f6a7-8901-bcde-f23456789012": { "rule_name": "GenAI or MCP Server Child Process Execution", "sha256": "26ee62ae8a201d334f1e43011a5acaa008ecb5e19c928b921faa25e0d95582b0", "type": "eql", - "version": 3 + "version": 4 }, "b2f8c4e1-6a73-4f1e-9c2d-8e5b0a1d3f7c": { "rule_name": "AWS EC2 Role GetCallerIdentity from New Source AS Organization", "sha256": "24583dae8dc1aba73158f2983e7c0a370cbddc64cdf80ad1a3ed2b84d9ea8870", "type": "new_terms", - "version": 1 + "version": 2 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "9.4", @@ -9155,74 +9198,74 @@ "rule_name": "Unusual Linux Username", "sha256": "a673ca8052fc4de0d8f2386e8976429868d4129e24c96fe5d0352c5de423237f", "type": "machine_learning", - "version": 207 + "version": 208 }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", "sha256": "ba3d38a0e3792f9fc94cbca598270b727fea2afd947bc1a201a93fd18ce7746b", "type": "eql", - "version": 9 + "version": 10 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "378bd1d2c1a58cde20ec32623670281d8a2167d171f8bfd09ec3a767c466ab03", "type": "eql", - "version": 322 + "version": 323 }, "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": { "rule_name": "Suspicious Python Shell Command Execution", - "sha256": "6cdfde87acbd94abc4aa15493236dc5cc3d5ba2b9477e6a84979cf1309c83e1f", + "sha256": "171fc7a88cb70dc2d963886c0e1f655e5e7d75971d87929cd8594e5a561a2628", "type": "esql", - "version": 4 + "version": 6 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "572bc27e692189379dafcde1361251f5e3e288eabd3bf6783395dc77d479a941", "type": "eql", - "version": 216 + "version": 217 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", "sha256": "aa4c16259c4ca94dffd3cb61e6cdba1aa20599065aaf7ae56a8a21eb1b08a65d", "type": "eql", - "version": 111 + "version": 112 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "rule_name": "AWS STS GetSessionToken Usage", "sha256": "b0f5631b927606bf9cd543de35f1eb1f4e1a5a5655e0dcc70fa9ef1b9dc1fd81", "type": "query", - "version": 211 + "version": 212 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "rule_name": "At.exe Command Lateral Movement", "sha256": "d31b85a4a0c3afbb2fa6829eab9297104af0e9d5fb668fe2f19260b5b0303df0", "type": "eql", - "version": 108 + "version": 109 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", "sha256": "09cc425582bd4ac3d390cbb63c58e980708b2e3f438f39b376f3f2a95b4a2346", "type": "query", - "version": 415 + "version": 416 }, "b4bd186b-69c6-45ad-8bef-5c35bbadeaef": { "min_stack_version": "9.3", "rule_name": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers", "sha256": "90830399dbd7961335bf3a8753f257d25c33dbcdbc1474f0e95c96133eea6f2e", "type": "eql", - "version": 3 + "version": 4 }, "b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c": { "rule_name": "Kubernetes Rapid Secret GET Activity Against Multiple Objects", "sha256": "e7c54086214a71bb038838607a536ef7aa41291266fa5de8bfed8550c1264f6d", "type": "esql", - "version": 2 + "version": 3 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via unshare and UID Change", "sha256": "3cd020f114e1352ff5935c6e5577a9adcf1860443b9620b2062b4dc2a5b72a4a", "type": "eql", - "version": 11 + "version": 12 }, "b53f1d73-150d-484d-8f02-222abeb5d5fa": { "min_stack_version": "9.3", @@ -9238,74 +9281,74 @@ "rule_name": "Kubernetes Direct API Request via Curl or Wget", "sha256": "5848bf5a4bd044df06ef95227df444a60c1471ca1bcb5523d37347327c87dc52", "type": "eql", - "version": 104 + "version": 105 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", "sha256": "ec49b73ddecb2a3d97ae0249883658375bafc409d58d3f59db1174f5aaeb3f85", "type": "eql", - "version": 320 + "version": 321 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "a9c315fd8704d74060623e2eccc8e9f3b65a119d4ed251abcdfdd52901b0379f", "type": "eql", - "version": 318 + "version": 319 }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", "sha256": "0021061d622b59482f91129c9afd828047712d6ca62d4a338937389e67656e41", "type": "new_terms", - "version": 8 + "version": 9 }, "b625c9ad-16e5-4f16-8d38-3e9631952554": { "rule_name": "AWS CloudShell Environment Created", "sha256": "5c7433e67902ee4b52322b5abc5120bfc4053b3280ef95a2a30a852c97a66aaf", "type": "query", - "version": 3 + "version": 4 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", "sha256": "a72ebf831df03c21d401b9f11214fb6941e12203f4375308a7cf89f9a8d39865", "type": "eql", - "version": 114 + "version": 115 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "c8097fa09dce15e87aeff4ba80fdb83d373b329e1e3c1253d68ead481505686a", "type": "eql", - "version": 215 + "version": 216 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "rule_name": "Potential Veeam Credential Access Command", "sha256": "05e08f6a48db8458789f9657614baed791232ae181993e95ccdf444a38300d81", "type": "eql", - "version": 210 + "version": 211 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", "sha256": "0a84161e37b3038a5efaae0ed7135d830767e9480bffeb05bdba6fb297f50e2c", "type": "eql", - "version": 110 + "version": 111 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "14d28d7f25487dce62c1587886b4b74480f9c2a4198f69e2e55470d4d623e08d", "type": "query", - "version": 109 + "version": 110 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "fc573fd91afba592e2599a9f648c7f7c87ba1b94a672fe37c1f1bc6f40fc905a", "type": "query", - "version": 415 + "version": 416 }, "b799720e-40d0-4dd6-9c9c-4f193a6ed643": { "min_stack_version": "9.3", "rule_name": "File Creation and Execution Detected via Defend for Containers", "sha256": "4e1519a4656adf5de7dc890fa4f66a7b9a90263c36d67d8096b6835ad4f17220", "type": "eql", - "version": 1 + "version": 2 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", @@ -9317,7 +9360,7 @@ "rule_name": "FortiGate Configuration File Downloaded", "sha256": "b65dfbbd01ddf09e8bd7de4c17e9af0caeda5f94219d9520352f4f63c62a2c71", "type": "eql", - "version": 3 + "version": 4 }, "b7f77c3c-1bcb-4afc-9ace-49357007947b": { "rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike", @@ -9329,86 +9372,86 @@ "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "d606a36377e206ed6b63e174f9aa93773b33099aaf113724d19e45c60c18555f", "type": "query", - "version": 414 + "version": 415 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", "sha256": "fa7b67791e4a1c0bddd450fbbbaf999f5c80e8ca6fdcb193e3822be4d331ba5b", "type": "new_terms", - "version": 8 + "version": 9 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "310b917a14e643bd8b9da746b930eca41250db760858b9591499e47052cc695e", "type": "query", - "version": 113 + "version": 114 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "372472e0e1be987ba5607f0b0985f7873818d79075d5d551094c911df93db55c", "type": "eql", - "version": 418 + "version": 419 }, "b84264aa-37a3-49f8-8bbc-60acbe9d4f86": { "min_stack_version": "9.3", "rule_name": "Tool Enumeration Detected via Defend for Containers", "sha256": "37e4e5763b25cbe64d5632bc00bbda463f9ba20fc814a0423fd17c8143dc22a0", "type": "eql", - "version": 1 + "version": 2 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", "sha256": "8902326fd29e6491af0a64878eb8f4e07e31da66e984848dff33107dfc14dc6f", "type": "eql", - "version": 212 + "version": 213 }, "b8c3e5d0-8a1a-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Recovery Services Resource Deleted", "sha256": "1b78e1a881f43c3177aead24fc927410356a5d006d1cda47e70d26a9e9641342", "type": "query", - "version": 1 + "version": 2 }, "b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e": { "rule_name": "AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure", "sha256": "9ee4397ac53d88b12b6a16d40ab8c34703453f21aa536fd9946f4989fc31d8f7", "type": "esql", - "version": 1 + "version": 2 }, "b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c": { "rule_name": "Potential Credential Discovery via Recursive Grep", "sha256": "6e1f7fd530c168e50461f4e7afc7b92b389edc311ca0657f61cae0b885e3fab0", "type": "esql", - "version": 1 + "version": 2 }, "b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": { "rule_name": "M365 Purview DLP Signal", "sha256": "e3ef983c1782d0d31d55c56f099f438dbf0e1180aa4222c17d078488f0692878", "type": "query", - "version": 2 + "version": 3 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "rule_name": "Kirbi File Creation", "sha256": "ecaa3fb532fa9adc94bdd4490159fd87d162a316b180bcc92f9911131f8bbaa3", "type": "eql", - "version": 316 + "version": 317 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "521aa3e9bb538b547685c1ec1a9f12c5c4e34de5c31cfb9f0bd18ed219ae178a", "type": "eql", - "version": 314 + "version": 315 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "rule_name": "Chkconfig Service Add", "sha256": "d0cc5c171239dbcb104a7489e747f4fa4712d1f0b9d0c7c2c40c266c6e44d456", "type": "eql", - "version": 219 + "version": 220 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", "sha256": "39ff2ecd53d1273176883da80f5c853cba5c7d5cffe7daac11a6b8735507dd0f", "type": "eql", - "version": 6 + "version": 7 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", @@ -9420,31 +9463,31 @@ "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "9ac9d0123bbe07619ef3f68e09b71e3a234dee94a91f0ad58a5ea042ad48a1b0", "type": "eql", - "version": 215 + "version": 216 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", "sha256": "ccc20438dabf95f6714661407dca782bba70fc5acf468c799afa0997f7cfbd74", "type": "eql", - "version": 116 + "version": 117 }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "5623b8facb7575ee89888665115a6288b762d8c7cae967408f985102c8808ddb", "type": "eql", - "version": 317 + "version": 318 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "rule_name": "File Creation by Cups or Foomatic-rip Child", "sha256": "dca11625c815b4157b45c06d2d04e7f72ef5ba0ecdd1fed7cc9cfd8e42cd42ac", "type": "eql", - "version": 107 + "version": 108 }, "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e": { "rule_name": "Anomalous React Server Components Flight Data Patterns", "sha256": "0c4d821949f83cc7229d9d2a9c117db1c8e639e5e03279e9ec182569ea1e7232", "type": "eql", - "version": 1 + "version": 2 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "9.4", @@ -9460,67 +9503,67 @@ "rule_name": "Unusual Windows Network Activity", "sha256": "0833f86da12207c117de1da3165a8d471bbf136effa8f292075b2d66982d01cd", "type": "machine_learning", - "version": 311 + "version": 312 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", "sha256": "54a16034019a7ff529433229ee9420420463a6b64f855b1f8182e9c979f31d11", "type": "new_terms", - "version": 6 + "version": 7 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", "sha256": "881df1bf3e0d1bd5035f0163b4c6fbea98426fdad7f5e30cd133d408466dfd22", "type": "eql", - "version": 8 + "version": 9 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "6454e889c2cf1a148a8d04442b4e67982eff43b66dfcdbe6816253576c2ae7b6", "type": "eql", - "version": 214 + "version": 215 }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", "sha256": "461b925e57497fdcaf88f08873d86a0fb8d0e9ea1252e6c241ef05fffd27a95d", "type": "query", - "version": 8 + "version": 9 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deleted", "sha256": "4966f18990999e99b3a63b622da1f44cd27813206a0d44992e191ef7efd3f6d8", "type": "query", - "version": 109 + "version": 110 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", "sha256": "72ecee4d940e2c2157819f24ecedf8a8cb830b55105eac72e766fe6ced901463", "type": "query", - "version": 213 + "version": 214 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "M365 OneDrive Malware File Upload", "sha256": "f04d6d39681c375512b7e813dc80c792d70026ba6d551afbfa7734b166ea15cd", "type": "query", - "version": 213 + "version": 214 }, "bba8c7d1-172b-435d-9034-02ed9289c628": { "rule_name": "Potential Etherhiding C2 via Blockchain Connection", "sha256": "adf13fd4f74075a1c4d807c951b541af172e2bded395dbbfe1ba42983acd3d22", "type": "eql", - "version": 2 + "version": 3 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", "sha256": "815c666bcc295daeb2243a634ef0d8210a3b075ef8218de881cc4d8e7cb3cfce", "type": "threshold", - "version": 14 + "version": 15 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "M365 Teams Custom Application Interaction Enabled", "sha256": "826ec6d81ce8b9a10f38fc995c045cd647df5d059bdac072fb532a9260900581", "type": "query", - "version": 214 + "version": 215 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "Deprecated - AWS Root Login Without MFA", @@ -9532,25 +9575,25 @@ "rule_name": "GCP Storage Bucket Deletion", "sha256": "37900dac2079159d4340059ef6567def876171c5672fdfc7278c6c8f0ca6fe79", "type": "query", - "version": 108 + "version": 109 }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", "sha256": "e0ba4cc9f179a908179ae1b8fb08501b168e5dd989246796d70691f3f4eff7f0", "type": "eql", - "version": 7 + "version": 8 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", "sha256": "7acb4cc8693f671522ac4141af3c6f946771d3534b18f6afef6140a69a1b8a52", "type": "eql", - "version": 110 + "version": 111 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Entra ID Conditional Access Policy (CAP) Modified", "sha256": "988c323c28814045bd05e064128d2969aaebf8c51e11e47537a3e2aa3f0767d2", "type": "new_terms", - "version": 110 + "version": 111 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Deprecated - Potential Non-Standard Port SSH connection", @@ -9562,31 +9605,31 @@ "rule_name": "File and Directory Permissions Modification", "sha256": "1229abc2361eeaad582a81ee4da6660075a6f9350b3ed2da734f3651b6d383d5", "type": "eql", - "version": 4 + "version": 5 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", "sha256": "c37a8742cc3fe968d7ca34eae92c6bbf6d72f20a731a8e600078e0c76f998332", "type": "query", - "version": 108 + "version": 109 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "sha256": "56d1f942df83d7f90dce141e8d61ea6c55751a210ce9f2acedfd94a2aea52eea", "type": "query", - "version": 10 + "version": 11 }, "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": { "rule_name": "Entra ID Protection Alerts for User Detected", "sha256": "bf979378a73ec562baf65cabd933ec22b6c70d6c288387eed998e3836179e977", "type": "eql", - "version": 5 + "version": 6 }, "bd18f4a3-c4c6-43b9-a1e4-b05e09998110": { "rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab", "sha256": "87629b7d4d5b9fc75f1a26d77b396e39a528483a25c72d1238b5ebf5271839b9", "type": "eql", - "version": 4 + "version": 5 }, "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": { "min_stack_version": "9.4", @@ -9602,25 +9645,25 @@ "rule_name": "Spike in Privileged Command Execution by a User", "sha256": "7279a20292c17acab33b638a44a567480719079cc6518fe2f59f35f86e1e2cd4", "type": "machine_learning", - "version": 104 + "version": 105 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", "sha256": "2b2c41d8349db184a3dfcf109c0e32f06a4e29eb8036f85956a55e479cedaf1c", "type": "query", - "version": 219 + "version": 220 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "ceeb8a74a863b5756a29ed6a9a6224998612c5ec72c4b20afaa84daa0dddbff1", "type": "eql", - "version": 109 + "version": 110 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "df28d4809713bc1224246014d11ffc61f9ef0436ecb8801c2fbd495bf8201d57", "type": "eql", - "version": 215 + "version": 216 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Deprecated - Potential Pspy Process Monitoring Detected", @@ -9632,13 +9675,13 @@ "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "1cc8b614d64dee3f72481d18cbea5d29b1c50f73e18f0bf1ace62841c74a8ee7", "type": "eql", - "version": 216 + "version": 217 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "rule_name": "Execution via Windows Command Debugging Utility", "sha256": "caed468a427a737d9f364fbc48acbfd232a094fd7c94911ccb2b0d0c53acba07", "type": "eql", - "version": 111 + "version": 112 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "9.4", @@ -9654,7 +9697,7 @@ "rule_name": "Host Detected with Suspicious Windows Process(es)", "sha256": "65c718364c96010a79d85d5d5f9d03c5177768aef95e93280491ac2544384804", "type": "machine_learning", - "version": 211 + "version": 212 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "min_stack_version": "9.4", @@ -9670,31 +9713,31 @@ "rule_name": "Unusual Remote File Directory", "sha256": "a88cb06ef463fb2f2dd4327dd31c5d47692a0c11539c9e458a25c9f32b348668", "type": "machine_learning", - "version": 109 + "version": 110 }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", "sha256": "10a4816f54ea177fa9e3d1289e45f425f1497b53d4964f359dcd7a1cdd2e729d", "type": "eql", - "version": 7 + "version": 8 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "eb48a9a1d6f3695d16aabc2eac3cb9e8194fb43afd70c67b86f37958aff0734e", "type": "eql", - "version": 318 + "version": 319 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", "sha256": "4b30455cb83458f81769269a3dcfb5e5d22f50e9966e84c186dacdc5f9522ba9", "type": "query", - "version": 214 + "version": 215 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", "sha256": "8333574a0bd6910364814cb33d533eeb7ff3ce241fecbde36cde344d754dd008", "type": "new_terms", - "version": 8 + "version": 9 }, "bfba5158-1fd6-4937-a205-77d96213b341": { "min_stack_version": "9.4", @@ -9710,49 +9753,49 @@ "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "sha256": "e2736f2b927fe65d4fc0264b0645cba4262fbd1677b221588f935a637edb5e29", "type": "machine_learning", - "version": 107 + "version": 108 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "0b824a6c76d9e6ba990e3246a364639ed381da6595f7a64e4d7f87c5775b5c41", "type": "eql", - "version": 219 + "version": 220 }, "c0136397-f82a-45e5-9b9f-a3651d77e21a": { "rule_name": "GenAI Process Accessing Sensitive Files", "sha256": "7c9b692a829b9a52b6aad77ef0ca0d339f3a4ee67c3e4adddb2bafcc92231395", "type": "eql", - "version": 7 + "version": 8 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "0bd519abe65e56eef7207d3456911a0aaaeb511637bdc1491f081d31cf4b7bcc", "type": "eql", - "version": 114 + "version": 115 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "b6eebc798b4afada8d3bfa956f8703fcae15edef82c4f929e74945195f9edfee", "type": "eql", - "version": 316 + "version": 317 }, "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { "rule_name": "AWS IAM Login Profile Added for Root", "sha256": "fc6421375be76d4d0aeb919f460c45ddcd0823a216c78aec752e89f1a089b287", "type": "eql", - "version": 7 + "version": 8 }, "c07f7898-5dc3-11f0-9f27-f661ea17fbcd": { "rule_name": "Azure Key Vault Excessive Secret or Key Retrieved", "sha256": "6a9647be6235ab05a6f7dfabd7f0d07837ac5d2715b017dd8a41615e3cbda393", "type": "esql", - "version": 9 + "version": 10 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", "sha256": "9c208b045f8d819107c56a6d07dfab00cbb11c4b5f50381febbaac9d1a06045b", "type": "eql", - "version": 4 + "version": 5 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", @@ -9764,7 +9807,7 @@ "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", "sha256": "2791043f63074536de6e74909024903fb85f453091d8d74b441586745316aeea", "type": "query", - "version": 108 + "version": 109 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File", @@ -9786,55 +9829,55 @@ "rule_name": "Rare Azure Activity Logs Event Failures", "sha256": "e2a374e0c05a03580026cac6094e7fd3d00628dc2cf6965875239f25a04d15b0", "type": "machine_learning", - "version": 101 + "version": 102 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "ffae753e96e57c8e771abab86446ad7034e302f6824a3d98b89951e0504bc73c", "type": "query", - "version": 213 + "version": 214 }, "c18975f5-676c-4091-b626-81e8938aa2ee": { "rule_name": "Potential RemoteMonologue Attack", "sha256": "ca992e1b21d0fb0f0754149fd57b64002ad44fe7f9e500b94ef60dabd6554ff0", "type": "eql", - "version": 7 + "version": 8 }, "c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User", "sha256": "2b8eebb4194717375909b29a3d0a794425d40404f5ccf9adf851172212ad6a63", "type": "new_terms", - "version": 2 + "version": 3 }, "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", "sha256": "53db6d3be010ac57b9e40bf2d75485e498825d37934550bd8ab3cf91ba0d85e7", "type": "new_terms", - "version": 8 + "version": 9 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", "sha256": "bb336839fab870f4b8ceed4a37e64fa3808c9d4ec3557d5d7eb61cb308f89cab", "type": "new_terms", - "version": 9 + "version": 10 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "ee0bd1f86590675b1968e6c9acb3c60ff51ea57e2c22d45881495ae30a89caae", "type": "eql", - "version": 107 + "version": 108 }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", "sha256": "85e2710c5bac83b3134e7c2720609257a02d708edb281beb58dc59c73e2de482", "type": "eql", - "version": 7 + "version": 8 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "fc40884b4f7c36580a2055b06ccce31e99c605042fc0bfad38e16a5124224c40", "type": "eql", - "version": 319 + "version": 320 }, "c28750fa-4092-11f0-aca6-f661ea17fbcd": { "rule_name": "Entra ID Sign-in BloodHound Suite User-Agent Detected", @@ -9856,31 +9899,31 @@ "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "3dc62da3e3d7eced397232fa5845611453226b59e213bd3c2165f786154ca80d", "type": "machine_learning", - "version": 207 + "version": 208 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", "sha256": "0e4561214fbcbee7b437528faea36307cf2255abd709788284dc2e7f5a740232", "type": "eql", - "version": 113 + "version": 114 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", "sha256": "3928140ff2c2daa2baa63a3c01524bc5693142c460ae8797ab4165dacfd176cb", "type": "eql", - "version": 7 + "version": 8 }, "c2a91e88-4f4b-4e1d-9c7b-8fde112a9403": { "rule_name": "Kubernetes Multi-Resource Discovery", "sha256": "e9df8056e4a85a5472fe686ba09143d567fbfa73ea785130804494fd595a35ed", "type": "esql", - "version": 2 + "version": 3 }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", "sha256": "67d1ef2cd2105b6cecf6813688a2ace55466bd1724113c42d7270a1b06b04c3f", "type": "eql", - "version": 213 + "version": 214 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", @@ -9892,67 +9935,67 @@ "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", "sha256": "f813eeef96588e7cc2eb90e1e91b32f2b9304bdb6c040357a4cf1ef6b41f0748", "type": "new_terms", - "version": 7 + "version": 8 }, "c37ffc64-da75-447e-ad1c-cbc64727b3b8": { "rule_name": "Suspicious Usage of bpf_probe_write_user Helper", "sha256": "7382f00fdf9d126382835eb8bee6dff6b8ee9806023856161c3f82b90b2ca17d", "type": "query", - "version": 5 + "version": 6 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "fe431606017738cc0bd512442d6aee9241821aa49a4476107d876e8521e564b3", "type": "eql", - "version": 415 + "version": 416 }, "c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f": { "rule_name": "Azure Compute Snapshot Deletion by Unusual User and Resource Group", "sha256": "a1d9d307839b1e0d90287d6c6ed01a10b4b39429715cb89a1c24aa185ef4492a", "type": "new_terms", - "version": 2 + "version": 3 }, "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": { "rule_name": "Suspicious Execution from VS Code Extension", "sha256": "0f323f54766502b2aad2e8d828583874f64015a7eeec98250bf8732f25af760a", "type": "eql", - "version": 3 + "version": 4 }, "c3d4e5f6-a7b8-9012-cdef-123456789abc": { "rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", "sha256": "0e3a9be309a444967ebb0ea0d972afde8a15a17b8b25372f908c366b1d81db60", "type": "eql", - "version": 3 + "version": 4 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "6a1e4a58107207bd64985edd80b630efbfb2c0257405b1e8eb91b08ce480f0eb", "type": "eql", - "version": 108 + "version": 109 }, "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": { "rule_name": "Multiple Remote Management Tool Vendors on Same Host", "sha256": "a2a54475f704eefeffbf2dcbcf805691146faa7d3123844010c0c45770bd3871", "type": "esql", - "version": 3 + "version": 4 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "b2f5778133cc8aec0658f483a77022ff1900c12bf95be595d306fb72db8ed0e5", "type": "eql", - "version": 317 + "version": 318 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6bacc434838270cd66c5fd783aca76bc1c83083165ba5a2b6dcff8bc6d8969a5", "type": "eql", - "version": 313 + "version": 314 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", "sha256": "212aaec8993088800bd4d7f70a7332eaf7e5bc714183097e26fb19acf8ebc70e", "type": "eql", - "version": 7 + "version": 8 }, "c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": { "min_stack_version": "9.3", @@ -9965,91 +10008,91 @@ "rule_name": "Attempted Private Key Access", "sha256": "433198f3e83515be6a9fb2d81a58e55f395ca9b6c12755ce513c08a8eccdf886", "type": "eql", - "version": 111 + "version": 112 }, "c562a800-cf97-464e-9d6f-84db91e86e10": { "rule_name": "Elastic Defend and Email Alerts Correlation", "sha256": "1d45173532d147acd49f542150b35f7e6997ea1d1c48a6d1d776f8414cf10ed5", "type": "esql", - "version": 4 + "version": 5 }, "c5637438-e32d-4bb3-bc13-bd7932b3289f": { "rule_name": "Unusual Base64 Encoding/Decoding Activity", - "sha256": "2d14a4c5396bcc49e6fe161442552ba4adf549a8847239fa8ecdb52c67edeb8c", + "sha256": "258ed700b47e9986b528be70273807ff6f0f6157da957fbb25e6923ae95f8860", "type": "esql", - "version": 11 + "version": 13 }, "c5677997-f75b-4cda-b830-a75920514096": { "rule_name": "Service Path Modification via sc.exe", "sha256": "22e84ad2b75e336fb97f7a6c7a63140dd8f907a4d863e0569c43993bbe498833", "type": "eql", - "version": 109 + "version": 110 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "34a8a87924c6ad4c5cef9cc2bc41b91633417cb0bbbfb65a121e7ff38c26de9b", "type": "eql", - "version": 316 + "version": 317 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "2c04fe383e0cbfd24a060a3f7df45e8a67ad83994225466b84eee7b04d91bcb4", "type": "query", - "version": 109 + "version": 110 }, "c595363f-52a6-49e1-9257-0e08ae043dbd": { "rule_name": "Pod or Container Creation with Suspicious Command-Line", "sha256": "6a5835653ce8a44460f7a6265334f5715cec34eef906940d610adfd93fef4883", "type": "eql", - "version": 2 + "version": 3 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "70e2670083262dede9e0ac99658ca19c7de178ec58e04799de51dd05c7de93a5", "type": "eql", - "version": 214 + "version": 215 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", "sha256": "c3c888b4c5012aed4c984e2bbe771206e5733964fdc51d7858755a9152742a52", "type": "eql", - "version": 315 + "version": 316 }, "c5da2519-160c-4cc9-bf69-b0223e99d0db": { "rule_name": "Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt", "sha256": "6b7e94971186501aac3530e4bee4b1247c1391d2aa9afe212581dacb76d121a5", "type": "eql", - "version": 3 + "version": 4 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "cf437520e3f654ae85ed65b5d0a9052889488f787bfefcf1a529f15710dd1037", "type": "eql", - "version": 318 + "version": 319 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "427f6a1dc62cfc31d666ea507e0534d2ccb1b1ab11ded936a7c642aca66c0ac2", "type": "query", - "version": 107 + "version": 108 }, "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { "rule_name": "Initramfs Unpacking via unmkinitramfs", "sha256": "670705faa3fa17cf9262d86f5f84c89d2b19a8d98e66695f0d696dd97dee6195", "type": "eql", - "version": 6 + "version": 7 }, "c62733ff-9373-4fdf-9733-3d992e148c93": { "rule_name": "Kubernetes Ephemeral Container Added to Pod", "sha256": "c790909bc3eda3e57868dee65181763def1dddb5b157ac1ecf5390a855d01b24", "type": "query", - "version": 1 + "version": 2 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", "sha256": "fb2fe11496bbfc2388fa376d8b542bf097de5191513c3955377d9ab1235a6d06", "type": "eql", - "version": 320 + "version": 321 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -10067,7 +10110,7 @@ "rule_name": "Suspicious Kerberos Authentication Ticket Request", "sha256": "732dee33aa6139e44513f5881a2dba96f5295987d88fcee4aacd52eb5d2eab03", "type": "eql", - "version": 5 + "version": 6 }, "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": { "min_stack_version": "9.2", @@ -10083,85 +10126,85 @@ "rule_name": "AWS IAM API Calls via Temporary Session Tokens", "sha256": "900d6953f4a641966f554449d8d96bb0358a325597f719a61787949c359dcd23", "type": "new_terms", - "version": 108 + "version": 109 }, "c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": { "rule_name": "Mount Launched Inside a Container", "sha256": "4d00e7499220c3c3a60f9749322ef6e1454af67f7ae410f4f6d7c3f28dff5f95", "type": "eql", - "version": 3 + "version": 4 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "db008a5c21d6a79b33bf9ea050857ae15016c5c6e40839e50335eb211f5f1295", "type": "query", - "version": 414 + "version": 415 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "rule_name": "Attempt to Modify an Okta Application", "sha256": "2e4dcf9c3c6df85922d74052995819ef82f67954d3d74e3ce29388cb2497151b", "type": "query", - "version": 413 + "version": 414 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", "sha256": "5abdcb56935324216ff8d42e978ebb491fbe54cafcc4d7fe8b3ac582d9ad5be1", "type": "eql", - "version": 7 + "version": 8 }, "c766bc56-fdca-11ef-b194-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Client", "sha256": "2754c97acd73e4a1a90ee94002f7eb0e7e45f5d98ba148f2d48097b6cf7db360", "type": "new_terms", - "version": 7 + "version": 8 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", "sha256": "968760f56651ba90e6f5231336d0b45578d1163d2f2e90f692dffe853c7a96cf", "type": "eql", - "version": 213 + "version": 214 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", "sha256": "ce477162c8755daf91cd6ec21a989119639bc8eb2c0373f6e74309d5885da2ca", "type": "query", - "version": 210 + "version": 211 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Operation by dns.exe", "sha256": "5e7a49ea7a36e33b0fee16211e255c693da22703192b2401d1fe49fe7ba2915f", "type": "new_terms", - "version": 218 + "version": 219 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", "sha256": "3400eb9c633145b2e7439c65f498db5bfb7dcafd680699d908e79e11eda2a0fd", "type": "machine_learning", - "version": 110 + "version": 111 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", "sha256": "c214ac68f9bcf286e1bb6d40a6982c5bb92697877f85be0a95fbf6efa738cd74", "type": "eql", - "version": 112 + "version": 113 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "10648d7de1f37e2c2263dd57fc51389dffef0106a8e191d1c6011101668c0d04", "type": "new_terms", - "version": 111 + "version": 112 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", "sha256": "748d8e74b57ecaf308003adab7aad2e238595a50ae2ad8ab015b3f5553d1e10c", "type": "eql", - "version": 117 + "version": 118 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", "sha256": "10971404f4a346079b0483d85790d52dc211b28704722b156c33bb04e4afd15d", "type": "eql", - "version": 109 + "version": 110 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -10173,67 +10216,67 @@ "rule_name": "Parent Process PID Spoofing", "sha256": "df65039d7edf82d347ef415b2522979d9e33f3f6c9dfccfe777461e024aaf91f", "type": "eql", - "version": 111 + "version": 112 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", "sha256": "5970502fee1978894616af37f79e879604513bcf66ed22247fb150855080e587", "type": "eql", - "version": 15 + "version": 16 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "972012b725a4c8682ab12245bb0f090a12981eef449d2feb19ce9dc5859ada87", "type": "eql", - "version": 320 + "version": 321 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "352973abc5de6aa343cb0a43ebacdc47da892f5ab3ceaee64421d64f9d3f85d1", "type": "eql", - "version": 319 + "version": 320 }, "c8e4f1a2-9b3d-4c5e-a6f7-8b9c0d1e2f3a": { "rule_name": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization", "sha256": "8a3498f14621e9a31ea7d7aba56abfba0a48df0847f409fdbc1aa98c97650e11", "type": "new_terms", - "version": 1 + "version": 2 }, "c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": { "rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource", "sha256": "bd1d6bba6db66e65f1767382604d9b24e1294f3a9ffa4af53d24e543b873f322", "type": "new_terms", - "version": 4 + "version": 5 }, "c8f4a2e1-9b3d-4c7e-8f2a-1d0e5b6c7a89": { "rule_name": "Kubernetes RBAC Wildcard Elevation on Existing Role", - "sha256": "8be233686963dcee1e3681959cf8ee8ad11a290cf119c734323ac12993497b94", + "sha256": "ad0da3e88f87d640e35b24c46ab9d8e5f9e8c291883696c670cb5278a6a35bef", "type": "esql", - "version": 1 + "version": 3 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", "sha256": "cc426be014bfdaeb8153646d980d01ba3d006c7438be1bf1d22e0e29711ea1f6", "type": "eql", - "version": 13 + "version": 14 }, "c9636a6e-125e-11f1-9cd3-f661ea17fbce": { "rule_name": "M365 Exchange MFA Notification Email Deleted or Moved", "sha256": "094dc18b50795209d755efb3bdd0584e88c9ec87bae1488a08941d8589795aaf", "type": "eql", - "version": 3 + "version": 4 }, "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { "rule_name": "Potential Remote Install via MsiExec", "sha256": "1f8c37ec7d8732adc850d44f0551c23cc024a117e900d86c18eddc1e1f5037c1", "type": "eql", - "version": 5 + "version": 6 }, "c9d4e8f1-2a3b-4c5d-8e9f-0a1b2c3d4e5f": { "rule_name": "Kubernetes Pod Exec with Curl or Wget to HTTPS", "sha256": "bfe3e798917b0efcd914fbaa1f3b4a7ac06bb0ae47317afd993519c12eca0dc0", "type": "esql", - "version": 1 + "version": 2 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -10245,25 +10288,25 @@ "rule_name": "Polkit Version Discovery", "sha256": "9057c8fc734774b49324b875ba5e83569cc77adb125c1abb70688ebfedcdbcc3", "type": "eql", - "version": 7 + "version": 8 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "M365 Exchange Malware Filter Rule Modified", "sha256": "40e40f2b6cade21188d70b1cc6876d692ccaf50e173a15c2d7f5bc6e26d1448b", "type": "query", - "version": 213 + "version": 214 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", "sha256": "2f434bb2fbc6b983bdb724b37e5d80a5191ada3fb55aee8ae2afd61e994acbd9", "type": "eql", - "version": 15 + "version": 16 }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Entra ID User Reported Suspicious Activity", "sha256": "942738b94399d43ced484e1f6170b1627d22e29e30946bf629ef8b2978c50837", "type": "query", - "version": 6 + "version": 7 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -10275,31 +10318,31 @@ "rule_name": "Abnormal Process ID or Lock File Created", "sha256": "7741096692f9fe425bdb8c608cb7b6d139ecb608252b6e1bc29bea7446dce8b8", "type": "new_terms", - "version": 219 + "version": 220 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "8c2d19d60ea0eca73775d4c700e75c6ce53042b1235213dee6ff1a31e37bb5b1", "type": "query", - "version": 212 + "version": 213 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", "sha256": "c165e516becec15b1c1aa845d2f5d093956b2a7e28df7cb656de4b393ca6a50e", "type": "eql", - "version": 110 + "version": 111 }, "cbbe0523-33f3-4420-b88d-5c940d9e72c1": { "rule_name": "FortiGate Super Admin Account Creation", "sha256": "d7217f55364d8322b66e8c599721d64499e35c2cfb070e0b4e9ec22e497896a1", "type": "eql", - "version": 2 + "version": 3 }, "cbda9a0e-2be4-4eaa-9571-8d6a503e9828": { "rule_name": "Kubernetes Secret Access via Unusual User Agent", "sha256": "5c721d5177cca18be2b221ec5d1a2c3dbecc53be6c90ecc978f09a0ae0be5672", "type": "new_terms", - "version": 3 + "version": 4 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -10311,13 +10354,13 @@ "rule_name": "Attempt to Enable the Root Account", "sha256": "dc65243f14859cec0de10c90d31e854d1dfab19c45872d94ad5938971bf56fe6", "type": "eql", - "version": 111 + "version": 112 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "276e47f1c1a7661fdcc6d3c2b07f2989d6a5b3e39c40c0dfdf0fd3f7b8bc418b", "type": "esql", - "version": 311 + "version": 312 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "min_stack_version": "9.4", @@ -10333,31 +10376,31 @@ "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", "sha256": "e2f7d9be525edcabce6a79ec3d4e29a0d63faf3b3ce5c662631e46deee74aeb8", "type": "machine_learning", - "version": 107 + "version": 108 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "7ec6f7bcf0fd4a713ff9c6ad38220d76e00bca8d333e36385bc55f3afc788495", "type": "query", - "version": 111 + "version": 112 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "0b14b06375574bc3460aa42b0883902a71dda721561cbc763b1346983d30439d", "type": "query", - "version": 109 + "version": 110 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "f78afd3ef31ec247c8f93c3bded0ef9093593d4a4242d2da616e845a91d47463", "type": "query", - "version": 416 + "version": 417 }, "cca64114-fb8b-11ef-86e2-f661ea17fbce": { "rule_name": "Entra ID User Sign-in Brute Force Attempted", "sha256": "504d60716fcab3c62c39017161592cd1f993a179ce83dd9c3d56a64b35a046c1", "type": "esql", - "version": 9 + "version": 10 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -10369,20 +10412,20 @@ "rule_name": "M365 Entra ID Risk Detection Signal", "sha256": "80306f186a6e389d65f795a639aa14cc2d0d5e9278ce95f2eadbef633acdebc2", "type": "query", - "version": 2 + "version": 3 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "1f05b381a736d947775748f47767925c574667300ceab8fba31733fe5f0f0fea", "type": "query", - "version": 415 + "version": 416 }, "cd24c340-b778-44bd-ab69-2f739bd70ce1": { "min_stack_version": "9.3", "rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers", "sha256": "e426cd61370f7a3337d24e8fa843cb3ff9bc78469f0b54ef7f2f20320130b2e9", "type": "eql", - "version": 3 + "version": 4 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -10404,49 +10447,49 @@ "rule_name": "Anomalous Linux Compiler Activity", "sha256": "d580170ce5f9b525d575b03481dc0cff351e862ea09c42f5d0d27f1e1567dc86", "type": "machine_learning", - "version": 208 + "version": 209 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", "sha256": "94cc28cf394367383a56845044b14d18c01451f0e54fcce503353ef789d7d0cc", "type": "eql", - "version": 215 + "version": 216 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", "sha256": "e7da9e328dc068e58d02c3588b1b8169288b6dc8641369ffef8fa2f3dd2a7da5", "type": "eql", - "version": 9 + "version": 10 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "d062e4cdfbd30c711e2dc526868a474e5bed707bf2cd718b1b73f589d6d63332", "type": "eql", - "version": 419 + "version": 420 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "rule_name": "Okta User Session Impersonation", "sha256": "d1e454f298e77b0999edbb6252ad1bb10f84eff94a05ea0522b3bb3c02859802", "type": "query", - "version": 416 + "version": 417 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "4be76e64dd78a60dd653583d166ff23a96f61d81cc9540d321047abcbecc57ac", "type": "query", - "version": 221 + "version": 222 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", "sha256": "fa212f11ff7dc31c458f4c5b4a44abf511bad5178eaab6a43dd2471e02b8de8b", "type": "eql", - "version": 7 + "version": 8 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "cb096a6dea392aedfc4158c3ea6faa4bbc4ba5dc20f240c5c486db678b44a67e", "type": "new_terms", - "version": 208 + "version": 209 }, "ce08cdb8-e6cb-46bb-a7cc-16d17547323f": { "min_stack_version": "9.4", @@ -10462,44 +10505,44 @@ "rule_name": "Unusual City for an Azure Activity Logs Event", "sha256": "e8a2532663bc99ed107bd3f71dfca99a418b5e691dd0c8311d997b2dcbcf37e7", "type": "machine_learning", - "version": 102 + "version": 103 }, "ce4a32e5-32aa-47e6-80da-ced6d234387d": { "rule_name": "GRUB Configuration File Creation", "sha256": "8171cdc003b23ecc74cd941913d99aa321de69230dc036f86df3e89ee88cc8a6", "type": "eql", - "version": 6 + "version": 7 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "d05044b0347897f56e49915d07ac39e23e1ccd2ce9e72cc40f427e958b496251", "type": "eql", - "version": 318 + "version": 319 }, "ce73954b-a0a4-4f05-b67b-294c500dac77": { "rule_name": "Kubernetes Service Account Secret Access", "sha256": "f037b6877c9466fa03677ff27ac9dc757799db083eafb89b01048fb5fb2e5336", "type": "eql", - "version": 4 + "version": 5 }, "cebabc1e-1145-4e39-b04b-34d621ee1e2c": { "min_stack_version": "9.3", "rule_name": "Shell Command-Line History Deletion Detected via Defend for Containers", "sha256": "979ca3e8ac0709e5e783a63e0ca0ccd14744cb170a17f6cc02fa41296d31801d", "type": "eql", - "version": 1 + "version": 2 }, "cf2b8cf5-3364-4396-b551-42aae9b6d37e": { "rule_name": "AWS SSM Session Manager Child Process Execution", "sha256": "b17735b656bbc81d70ff40989315103f3d8f3fcbfafb53bf3dc424ae9bd96070", "type": "query", - "version": 2 + "version": 3 }, "cf307a5a-d503-44a4-8158-db196d99c9df": { "rule_name": "Unusual Kill Signal", "sha256": "87b48799b45644f192a3001a0f4b89af47c77b4ee43ae485b40c621af5497e63", "type": "eql", - "version": 2 + "version": 3 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", @@ -10511,7 +10554,7 @@ "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "03ce40b74fdb6629caa18779e5369e9b7cb5144ddcc273d2708ffb29de856174", "type": "query", - "version": 210 + "version": 211 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { "rule_name": "Deprecated - Unusual Discovery Activity by User", @@ -10523,31 +10566,31 @@ "rule_name": "Trap Signals Execution", "sha256": "5d1c2a7fa37d485677c9525e57187ee14cae40657b6b37b87075a86b32fd53f2", "type": "eql", - "version": 6 + "version": 7 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "1cf0003b3ca2311e92a88d6dfe5f2172d9c346610169fa2fe67cca1dbb6e51da", "type": "eql", - "version": 322 + "version": 323 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", "sha256": "b3379c22774ddf7b3ad4cd9061769227cc13b67a811eed8e01aef15ddbb008eb", "type": "eql", - "version": 4 + "version": 5 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "rule_name": "Namespace Manipulation Using Unshare", "sha256": "7ce775edec6e2b9fd8f1f5e9790a1455232f7e73618d25ead665bd65ef08c238", "type": "eql", - "version": 116 + "version": 117 }, "d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": { "rule_name": "FortiGate Administrator Account Creation from Unusual Source", "sha256": "7daf11e701fa16bab823faa10886c4ccaae4187b0fb8c0bd88c578e3fb308798", "type": "new_terms", - "version": 2 + "version": 3 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "9.3", @@ -10563,67 +10606,67 @@ "rule_name": "Cloud Credential Search Detected via Defend for Containers", "sha256": "152389ffbec21b8c6cf4900a221557e3cbba23580dac8dcec675d8f6d38962d7", "type": "eql", - "version": 104 + "version": 105 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", "sha256": "b4f7eba2bacf2674558ed2020f01ac7344ecff673f119c66d8bf69963e5bdcd2", "type": "eql", - "version": 317 + "version": 318 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "91f370c60039a671e72337449587aafc3949520d1bc4a0aad944f952d97292f6", "type": "eql", - "version": 319 + "version": 320 }, "d121f0a8-4875-11f0-bb2b-f661ea17fbcd": { "rule_name": "Entra ID ADRS Token Request by Microsoft Authentication Broker", "sha256": "7b37bd4e071c45f94202000f79dbdb61c43277a88f56832e69af3e5209713192", "type": "query", - "version": 4 + "version": 5 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", "sha256": "5ce22bd1666f3e32e386cc8496062f37329380d440efdd91c6fe1802dc7323dc", "type": "eql", - "version": 10 + "version": 11 }, "d197478e-39f0-4347-a22f-ba654718b148": { "rule_name": "Compression DLL Loaded by Unusual Process", "sha256": "b8ef92cb19cb52e0bd7fb40cff7396636355fc683271c5bf1dbbd88a63e7753c", "type": "eql", - "version": 6 + "version": 7 }, "d19a2399-f8e2-4b10-80d8-a561ce9d24d1": { "rule_name": "System Binary Symlink to Suspicious Location", "sha256": "83f4835ace6e0cacb08b95892e3708076af8aa86de8a18edb56b641b451e2d61", "type": "new_terms", - "version": 5 + "version": 6 }, "d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7": { "rule_name": "AWS Rare Source AS Organization Activity", "sha256": "3aa90af79b03b53c743e4dcd0fd751c08cd550e2cc7cd3d6befd75fe1f03aa3c", "type": "esql", - "version": 1 + "version": 2 }, "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { "rule_name": "AWS EC2 Instance Console Login via Assumed Role", "sha256": "61f85c45874c50154a1dccbfdaa725b0313fe326ded94f01931dc0e5d05735c1", "type": "eql", - "version": 8 + "version": 9 }, "d1ee711a-a3ba-4d73-b5ab-84cab5b37fb3": { "rule_name": "Curl or Wget Egress Network Connection via LoLBin", "sha256": "ce203e6ef36a4f383860bdf870609761df68e02c57e8d531399a85f8423111d2", "type": "eql", - "version": 2 + "version": 3 }, "d1f310cb-5921-4d37-bbdf-cfdab7a6df9c": { "rule_name": "Privileged Container Creation with Host Directory Mount", "sha256": "75d684bf84179e6a25e644ac7d2db82a2d829dfdf5935cebecd941e03db6bf7d", "type": "eql", - "version": 2 + "version": 3 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -10635,13 +10678,13 @@ "rule_name": "Potential Microsoft Office Sandbox Evasion", "sha256": "762e4b15bacae2524f2eb4f6453f08cbabda5dc4ec577ed0a48d96b0f24b35df", "type": "eql", - "version": 111 + "version": 112 }, "d26331be-affe-46b2-bf4e-203d0e2d364c": { "rule_name": "AppArmor Profile Compilation via apparmor_parser", "sha256": "46f9b9dcc7c864ded6022aca5cdf7d66a3c6b1c46ede076a0e7cbbfcd22e3366", "type": "eql", - "version": 1 + "version": 2 }, "d2703b82-f92c-4489-a4a7-62aa29a62542": { "min_stack_version": "9.4", @@ -10657,79 +10700,79 @@ "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", "sha256": "0cedef065a88abd73d1662ab02552fdeee793d2ccf56f8eb78f729788dd786cf", "type": "machine_learning", - "version": 104 + "version": 105 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "d7a79c8c0bd79359418e9da37bf2de94c0807cd52386fb3373d97586dd42a0f4", "type": "eql", - "version": 318 + "version": 319 }, "d32f0c27-8edb-4bcf-975e-01696c961e08": { "rule_name": "AppArmor Policy Interface Access", "sha256": "540ec9c59c4ac14e4d8d22452a9727e0b44f48c1495a3a435a5f31c1d189dd96", "type": "eql", - "version": 1 + "version": 2 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", "sha256": "5bc1c4710d8d050588cfa022146eb44a57881fee2248fe986267feba1f4b5e51", "type": "eql", - "version": 322 + "version": 323 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "rule_name": "Remote Windows Service Installed", "sha256": "351040da536a8a222689ecf0d8ab1ba90a409e476f1222298de6b66d923d882d", "type": "eql", - "version": 114 + "version": 115 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "51c7d5aa91a02787b7a35cb450939619d0c1ce259e63a6fb6071f939b1b10e98", "type": "eql", - "version": 107 + "version": 108 }, "d3b6222f-537e-4b84-956a-3ebae2dcf811": { "rule_name": "Splunk External Alerts", "sha256": "f378f24577665171fd3b33d5b1172def6d1fa3fa89da6e34e50c43d6f969e922", "type": "query", - "version": 1 + "version": 2 }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", "sha256": "5159602762205589013e36bbd555824dadecd1d06e4df9e447253d043ff44ff9", "type": "esql", - "version": 11 + "version": 12 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", "sha256": "dde2f1948e3783288c5dda0fd4b020d47ac4e2ebc6daebe917d4a373dac35ab9", "type": "eql", - "version": 113 + "version": 114 }, "d4695889-0410-4e7b-a4aa-59be525a11a6": { "rule_name": "Entra ID Register Device with Unusual User Agent (Azure AD Join)", "sha256": "675401d2482999813274db5a1fcb768f91758024beb4c0c6695a66d8cdcd7add", "type": "query", - "version": 1 + "version": 2 }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", "sha256": "6bd7b6a580b9950f4a7a1d4911e00797056e57451d2c13d8236fa85a164dfcc6", "type": "eql", - "version": 8 + "version": 9 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", "sha256": "e0d1d6ba9b6ddf06ad72a0643f809d174cf9219b545d4dafb9b3c180160d2b19", "type": "query", - "version": 413 + "version": 414 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "f8132f6b4f1aa63e9d8e5d21d90394f93a1b56d7bf48aee2bb0c885b3549587b", "type": "query", - "version": 105 + "version": 106 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "min_stack_version": "9.4", @@ -10745,7 +10788,7 @@ "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "573b1809a649fa13bd4353d662f89857a9fe492c5d4c9c5572453e947abb52da", "type": "machine_learning", - "version": 207 + "version": 208 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "min_stack_version": "9.4", @@ -10761,13 +10804,13 @@ "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "eb3d13a478da5da270de435f9b6c3ac9f2aaa9e410767a5c8d5872f74b1a0e79", "type": "machine_learning", - "version": 208 + "version": 209 }, "d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f9a": { "rule_name": "Azure Compute Snapshot Deletions by User", "sha256": "0590c3ea783eef7a74ae9523153050ad013e39861a445e6d94296ba3c30fcb00", "type": "threshold", - "version": 2 + "version": 3 }, "d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a": { "min_stack_version": "9.3", @@ -10780,19 +10823,19 @@ "rule_name": "AWS IAM Customer Managed Policy Version Created or Default Version Set", "sha256": "b358dbfbed4eaf573315c79ec108874c58ce7ac3db8f94f63f765622b36a20d4", "type": "query", - "version": 1 + "version": 2 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", "sha256": "12504527fe33d0f0d50bdee315c515557afbc1166edfdce8c68ddf82b11d3817", "type": "eql", - "version": 112 + "version": 113 }, "d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c": { "rule_name": "Kernel Module Load from Unusual Location", "sha256": "42ab912e8f87151cc830318d80b8fcacef86ad752a051c7f3c2a5bafdcc76af5", "type": "eql", - "version": 3 + "version": 4 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected", @@ -10804,49 +10847,49 @@ "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", "sha256": "39da3f93465e6657006f53771e217c4fc049da876a80117b4cd2e4d6ba155a2f", "type": "eql", - "version": 8 + "version": 9 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "6de04fbb3615cf52d1a00204c0cc7d5e126031bf5f50005e01881ede98097e80", "type": "eql", - "version": 316 + "version": 317 }, "d591d7af-399b-4888-b705-ae612690c48d": { "rule_name": "Newly Observed High Severity Suricata Alert", "sha256": "de1f830567ec7ac8c8a76bd6164a6af0895adedc8ceb7ea49c91dda648461626", "type": "esql", - "version": 3 + "version": 4 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "3086f8e9b0537db524ac52264f95c531385a9dd43a5942e444649fcad336c138", "type": "query", - "version": 415 + "version": 416 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", "sha256": "f6e11ce06e76dae63a181eb541563bd9478e69b749f15e3a5ac84fdefd47e11d", "type": "eql", - "version": 212 + "version": 213 }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", "sha256": "189ec619c7b3f1acbaf3ec85c31d1cdef910e9f4fb1e9eee4e320cf66524c3eb", "type": "eql", - "version": 8 + "version": 9 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "a46f7108d987f5867d7a89f6ebead05786233dab13864eafc0980d67d2bbb886", "type": "query", - "version": 215 + "version": 216 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "afdbda3dde84fa473ded32b17d3c9c5a7f31bc6f7d069c45b4bd2a449afcae34", "type": "query", - "version": 110 + "version": 111 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -10858,91 +10901,91 @@ "rule_name": "IBM QRadar External Alerts", "sha256": "d87d352178c0de5f4c543c32276715abb35d6357dc42f75d84ac84b2401aa365", "type": "query", - "version": 1 + "version": 2 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "a12f6445936ab83bfae7520bc8f1d544d357ae58d9fca890908ee6320fefb81b", "type": "eql", - "version": 118 + "version": 119 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "M365 Exchange Anti-Phish Policy Deleted", "sha256": "9511b82aeec35d19961ca08da3e0fe578cfd57551921a610cef015721b43bc6e", "type": "query", - "version": 213 + "version": 214 }, "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": { "rule_name": "Potential Protocol Tunneling via Cloudflared", "sha256": "ce6454a80c785ff43356dc00ba0a798148f8a47cb228ba6ada6f7401d7741728", "type": "eql", - "version": 4 + "version": 5 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", "sha256": "6e66c624263fb09663f0683aee91a1c75afb76f643f116aa5e9eb16e8a6915d5", "type": "eql", - "version": 217 + "version": 218 }, "d70c966f-c5ef-4228-9548-346593cd422d": { "rule_name": "Unusual Process Connection to Docker or Containerd Socket", "sha256": "7d3b65bfb9efed8938e8d51a738e97060eb210b496bc611a1795c93ec01ffe47", "type": "query", - "version": 1 + "version": 2 }, "d7182e12-df8f-4ecf-b8f8-7cc0adcec425": { "rule_name": "Pbpaste Execution via Unusual Parent Process", "sha256": "3cfed4a1b0aa89c53b098fc2987859ebe883bc1267bc374ba18070c2e9a4f5e9", "type": "eql", - "version": 1 + "version": 2 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", "sha256": "6c8f7e690fc992ad98b1a2c1101f2ba9ed50cca218d536e7c1884a8f52471e45", "type": "eql", - "version": 319 + "version": 320 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "M365 Exchange Malware Filter Policy Deleted", "sha256": "3adaab0d509bfe15b688bc4f88053464321d610fa1ec88316130980d84582fb0", "type": "query", - "version": 213 + "version": 214 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "rule_name": "Suspicious Memory grep Activity", "sha256": "bd02b6e884a029c82503af499237b283074d0ca5c44c925afc8f88dcd6162644", "type": "eql", - "version": 109 + "version": 110 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", "sha256": "0eb4e9b2e8d7ae7e32cea1ab9708d0e2c67a166339ae6128cf014faf53bb202b", "type": "eql", - "version": 211 + "version": 212 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", "sha256": "6903d7db95ea1e3cd259c3ce0b5ca1cea3642360c9cfae1b6e55c16f174b1c7d", "type": "eql", - "version": 216 + "version": 217 }, "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": { "rule_name": "Python Site or User Customize File Creation", "sha256": "b1b0ab169ce762f2b928b00dbc60e869cc527620231972f6845fb6d33ec29a8b", "type": "eql", - "version": 7 + "version": 8 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Storage Permissions Modified", "sha256": "ded822ec5092e708b8c124227dbc29b933f95ea146bf4d92834bc41105e150bf", "type": "query", - "version": 110 + "version": 111 }, "d7b57cbd-de03-4c3b-8278-daa1ee4a6772": { "rule_name": "Suspicious Apple Mail Rule Plist Modification", "sha256": "a0c45fe46654506f314348d84713c3f366b341eea449497c5470f69c930e5b6b", "type": "eql", - "version": 2 + "version": 3 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "min_stack_version": "9.4", @@ -10958,116 +11001,116 @@ "rule_name": "Spike in Logon Events", "sha256": "c29b7f8eaa644ba59a41c217b164035424b0b42506ea6cae59993fbfea56b596", "type": "machine_learning", - "version": 208 + "version": 209 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", "sha256": "d525b40ecee5195fb6dd26c7e0a3b458d1002aa5d043016b236c48332cf0b40b", "type": "query", - "version": 111 + "version": 112 }, "d84a11c0-eb12-4e7d-8a0a-718e38351e29": { "rule_name": "Potential Machine Account Relay Attack via SMB", "sha256": "dd7dbcab64a1af066709c965e6e904bd1f93c69923a1cde4221dbe5b39ceea64", "type": "eql", - "version": 4 + "version": 5 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", "sha256": "dd48411c421dd9a77c91fa3ff6ff6d14e61e1ae1d21e0c8c6502a895bd5f61d5", "type": "eql", - "version": 14 + "version": 15 }, "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": { "rule_name": "Potential REMCOS Trojan Execution", "sha256": "9980c44f4485b07a1b435cab511bf5458e092b30640924be72d91e2438814535", "type": "eql", - "version": 3 + "version": 4 }, "d8f2a1b3-c4e5-6789-abcd-ef0123456789": { "rule_name": "Ollama API Accessed from External Network", "sha256": "e3733d532630c219d6614d21fb75e356d22f16ec0a9ff3f0f60224843ab8c594", "type": "eql", - "version": 2 + "version": 3 }, "d8f4e3b0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collections Deleted", "sha256": "38554163bf5d4d1b147f9137f117e510d8f097d49b32da256957eb1ab28fe4f0", "type": "threshold", - "version": 2 + "version": 3 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "f45c32cad0da7a071d36e956585cc06c542c9a29b537439c503a699b2e8937d5", "type": "query", - "version": 216 + "version": 217 }, "d93e61db-82d6-4095-99aa-714988118064": { "rule_name": "NTDS Dump via Wbadmin", "sha256": "b5b01fd3137c66953523e88ed94247e81d9efe10e2782519d665bfeeb5e77648", "type": "eql", - "version": 209 + "version": 210 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "061af9c10cb05decbc575b0ae0c06c1bdd672222b3a888b953190222fa5b14e7", "type": "eql", - "version": 319 + "version": 320 }, "d9af2479-ad13-4471-a312-f586517f1243": { "rule_name": "Curl or Wget Spawned via Node.js", "sha256": "951ee0aea30e70bfde8e78165a1547a8b00bdc808aad4a313029de907d78bfc6", "type": "eql", - "version": 6 + "version": 7 }, "d9bfa475-270d-4b07-93cb-b1f49abe13da": { "min_stack_version": "9.3", "rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers", "sha256": "07b381c84cab6bd05cd985d2912671b0d45207acb284af1f93837b49a556c20c", "type": "eql", - "version": 3 + "version": 4 }, "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { "rule_name": "Sensitive Files Compression Inside A Container", "sha256": "9c333571d80d149931449ce4fe2f16cc2b89cb7d0b97e5360a06a35349eec9f6", "type": "eql", - "version": 4 + "version": 5 }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "rule_name": "Suspicious Windows Command Shell Arguments", "sha256": "15f5dd84a9d960fdd0ea0c58c5ffb940e0756358d081435f8ae73ca59eaed3de", "type": "eql", - "version": 209 + "version": 210 }, "da0d4bae-33ee-11f0-a59f-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection", "sha256": "0f39ccaeadc0c6cf3a2ee85643d96368b7334c7b492b8517a90569b012196537", "type": "query", - "version": 2 + "version": 3 }, "da0ebebe-5ad3-4277-95e7-889f5a69b959": { "rule_name": "System Information Discovery via dmidecode from Parent Shell", "sha256": "c5119c7d8cb6ba0ab9fb94430ae2c2d1e3e6a6ebf20e2e18c60d9d4a5447293b", "type": "eql", - "version": 2 + "version": 3 }, "da4f56b8-9bc5-4003-a46c-d23616fbc691": { "rule_name": "PANW and Elastic Defend - Command and Control Correlation", "sha256": "9c4cc881a8a05c1e645c6fe4391834b009ca46b5124f18c1b821ee66b634a942", "type": "eql", - "version": 2 + "version": 3 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "f176da9360e2f2c3e8860fe15eb235214bcd1dcb323c49fd9e72e96df1a1b1aa", "type": "eql", - "version": 217 + "version": 218 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "sha256": "d887a9027105bdf4a170339cbb9e7012eb40383c6c65812c787c1f612543ae11", "type": "query", - "version": 9 + "version": 10 }, "da7f7a93-26e1-49ce-b336-963c6dc17c7b": { "rule_name": "Multiple Machine Learning Alerts by Influencer Field", @@ -11079,7 +11122,7 @@ "rule_name": "Suspicious Service was Installed in the System", "sha256": "674d5611f7c4e7c2d56833a0a0b8b8f7afb23a14664b0b58853854141dfebc4a", "type": "eql", - "version": 117 + "version": 118 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -11091,37 +11134,37 @@ "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "c380424b1c7a8b15cd6c69f19e2aeb996b3c3fc438a6d4bf4b91a48d47e8f852", "type": "new_terms", - "version": 111 + "version": 112 }, "dacfbecd-7927-46a7-a8ba-feb65a2e990d": { "rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access", "sha256": "7698bb07813a340c67e08c1e0d6c46f4495d8677699f8d9107e8b142f7ca07f9", "type": "eql", - "version": 3 + "version": 4 }, "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22": { "rule_name": "Github Activity on a Private Repository from an Unusual IP", "sha256": "cdc80e68084ebe217495f688541fa82a88b6d61c98e0db63dc780d2bdb4f097d", "type": "new_terms", - "version": 3 + "version": 4 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Entra ID MFA Disabled for User", "sha256": "f6bdc31ea3c2eddf3ce464b3867eaec5b1aa65d326c6a8d9e15c3efe12d9debb", "type": "query", - "version": 111 + "version": 112 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "7bd11c1b9d14c0b64b5fc2d21036e0a4f3582a43c218da0a6826ca7aa6a33559", "type": "eql", - "version": 210 + "version": 211 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "c054d7bcf3340f3352424a90c89e9d0445764287f7293857c90eb806c386af43", "type": "eql", - "version": 217 + "version": 218 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", @@ -11133,19 +11176,19 @@ "rule_name": "Entra ID Service Principal with Unusual Source ASN", "sha256": "47e4c635bd2fc84b836711971b0d8c151eafaf5a921900bf220e58aea6fc9e00", "type": "new_terms", - "version": 3 + "version": 4 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", "sha256": "04a000054fd086fe35b3e52f9d3eb48095fbb9e0b2f9aacddf7ec8e892c6d415", "type": "eql", - "version": 111 + "version": 112 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { "rule_name": "Git Hook Command Execution", "sha256": "df35f25f9ccc47ef6da1162061e6426b9e9a36091db4987ef34c162d36beacfd", "type": "eql", - "version": 108 + "version": 109 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -11157,31 +11200,31 @@ "rule_name": "Potential Hidden Process via Mount Hidepid", "sha256": "7e94ec06da053b5379f26e7355e1de6a3ec95c67115e9537b7ace9a1e062ad88", "type": "eql", - "version": 115 + "version": 116 }, "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { "rule_name": "Dracut Module Creation", "sha256": "e7901044b018b0d51e7579987769d7d815f196e226c06f7802072f53c04388c1", "type": "eql", - "version": 6 + "version": 7 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "3acf373b176d3530fa50133aba0cc5e97d69dd9048f86a93ec51b82bbabd87eb", "type": "eql", - "version": 318 + "version": 319 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", "sha256": "5fcc8e1b8ffda2633c5e84605dbccd3b4fa19f61cb6746ba6f2e9673df63aa6f", "type": "machine_learning", - "version": 212 + "version": 213 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", "sha256": "bd9a3f37f0d0ab84e7db8a5a74cea5394ae79810a7375da4213f0f9a2c6fa870", "type": "eql", - "version": 213 + "version": 214 }, "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f": { "min_stack_version": "9.4", @@ -11197,19 +11240,19 @@ "rule_name": "Unusual Country For a GCP Event", "sha256": "e1b3ec7e1ad5085043b0e15521b9f164298bfc915884a6f8315a6e202ea53c00", "type": "machine_learning", - "version": 102 + "version": 103 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "rule_name": "Attempt to Install or Run Kali Linux via WSL", "sha256": "b4dec363cc87b83e8de55fe91c72957864534614c92d32f07c9a2356c8ea2b41", "type": "eql", - "version": 217 + "version": 218 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", "sha256": "61c08b145f474da52f1ef04e85dcb57c8943bda0687f41fc8d07ac5da39fcb73", "type": "eql", - "version": 9 + "version": 10 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", @@ -11231,67 +11274,67 @@ "rule_name": "Docker Socket Enumeration", "sha256": "3b20c039973e88cff852dc38dbf06dcab6f9f7dddf03fff3e2c9b9ea124a1b4a", "type": "eql", - "version": 105 + "version": 106 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", "sha256": "57fc4d41f585e9622767d73c6374d8b6d69d72f69433691499262a4bf492032c", "type": "eql", - "version": 316 + "version": 317 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", "sha256": "ae224b4b5bf9c3ce6f6db645cadbc8352cd2f23dad4cf4b8359ff9cb689618e3", "type": "eql", - "version": 9 + "version": 10 }, "ddf26e25-3e30-42b2-92db-bde8eb82ad67": { "rule_name": "File Creation in /var/log via Suspicious Process", "sha256": "5f8ad4b3b68a18b84f5a900a3c5491e09f7b0f7e7080c501e059c8c08178977c", "type": "new_terms", - "version": 5 + "version": 6 }, "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { "rule_name": "M365 Identity User Account Lockouts", "sha256": "5e9c7aba985f7171c814ece90db1ada7159ce434f744a6aaedd5bb6ec9c1e41d", "type": "esql", - "version": 9 + "version": 10 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "7791d75c96deb296d5cba1980599b03dd2283e6d586e2f8a6e12acdd83d40bb5", "type": "eql", - "version": 319 + "version": 320 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "cc614eb9ec6ed03a159b5db0dbf49482ecd4ad3eff42784b233103ac0f8201a2", "type": "eql", - "version": 216 + "version": 217 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", "sha256": "c565926c3852c56892fb0501188df9bc15a1e1513cf40aad90ba10370499a8fd", "type": "new_terms", - "version": 108 + "version": 109 }, "deee5856-25ba-438d-ae53-09d66f41b127": { "rule_name": "AWS EC2 Export Task", "sha256": "543ead44f26c16aa26bc746708c06f6531c20c28051bd501212c956b5a5e761c", "type": "query", - "version": 4 + "version": 5 }, "df0553c8-2296-45ef-b4dc-3b88c4c130a7": { "rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners", "sha256": "554697d96fc03f19bf3758bd9118b506f368879575889f932f4049755fd5e0bb", "type": "eql", - "version": 2 + "version": 3 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", "sha256": "a86e29ad36c65e20a6de39029ef2fd2b315fa075aa314ff2142a7f24e4da833a", "type": "new_terms", - "version": 13 + "version": 14 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "9.4", @@ -11307,31 +11350,31 @@ "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "b583da4a2219e9b0c1ca1bbb77ab1d2d1fa46c5e8caddef587789c410db5b995", "type": "machine_learning", - "version": 309 + "version": 310 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", "sha256": "48fc5e51a731f7f4cd946c1dd4f14311045c44adaeefced003d70db94d583d69", "type": "query", - "version": 107 + "version": 108 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "rule_name": "Dynamic Linker Copy", "sha256": "74975fc1c4e9c6ba277040431b9fdeb13dcda0d536146b120add215ed4d701df", "type": "eql", - "version": 216 + "version": 217 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", "sha256": "83dd265459b1aa87e352d134366f7a3ddb21c45e95d2c3239472e71faefe7530", "type": "query", - "version": 210 + "version": 211 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", "sha256": "e4dc1206fa6f829adfd9c13606980e85749ca4905cf5b656b4f4c60403d268c6", "type": "eql", - "version": 9 + "version": 10 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -11349,43 +11392,43 @@ "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "3f71996afbee4c685c8f52997c9df48706ea01c6b2de558474316098cbd78701", "type": "eql", - "version": 211 + "version": 212 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", "sha256": "eda677d08740a19834e652dd899736788b11c6cd08b52433e01e03a32ff45778", "type": "eql", - "version": 9 + "version": 10 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure VNet Firewall Policy Deleted", "sha256": "42fd83bb3ed5bb7a69511e4c90baba7006569871c9591996af8add54ba3f9535", "type": "query", - "version": 108 + "version": 109 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { "rule_name": "KRBTGT Delegation Backdoor", "sha256": "e267d4a1c0816edee33949500b7845ddffbc71f9e886b046cead5b47b8e3ffb8", "type": "eql", - "version": 214 + "version": 215 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "e589be7d2f86dabb5960decd210508e1d28f819cda2df6b1bb9b7902a8b06c62", "type": "eql", - "version": 114 + "version": 115 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "834c73e30108eabb04f904e2f9fb59222b3e3be8401ea3dc2ee9e6d14a39e09e", "type": "threshold", - "version": 417 + "version": 418 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", "sha256": "009201c6e671258aeae2bedc88405596018aabb7b315facd99b1f46ae2585cd3", "type": "eql", - "version": 111 + "version": 112 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -11397,13 +11440,13 @@ "rule_name": "Azure Event Hub Deleted", "sha256": "c2a4134579286f6aa1a9ecb0c4e6b4e70eafff7901ea15b721a52a78df45774d", "type": "query", - "version": 109 + "version": 110 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS EC2 Route Table Created", "sha256": "9b67864d91e23c630e30222f8b30ed291ee313d56d56ea5b11db2d831b11f177", "type": "new_terms", - "version": 214 + "version": 215 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "Deprecated - AWS RDS Cluster Creation", @@ -11415,7 +11458,7 @@ "rule_name": "Connection to External Network via Telnet", "sha256": "531ef817962d765ea1d1873aaba42843ea3beaae12f70d493be1b6b58326b983", "type": "eql", - "version": 213 + "version": 214 }, "e1db8899-97c1-4851-8993-3a3265353601": { "min_stack_version": "9.4", @@ -11431,13 +11474,13 @@ "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "sha256": "f99d7c4b92f8aa673ebfc37fc27f755a33e5229dfab0fe63a64aeef8a64e7a63", "type": "machine_learning", - "version": 107 + "version": 108 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "rule_name": "Suspicious Mining Process Creation Event", "sha256": "c6b59218f0bd6a67c42d0853ef8efecafa69decfbdb0aa5c7f7edfe917c74a92", "type": "eql", - "version": 112 + "version": 113 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "9.4", @@ -11453,91 +11496,91 @@ "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "c5424dd0ac4759274a714f7da569350b4c2f72b6cda74241734321138dd7a90c", "type": "machine_learning", - "version": 208 + "version": 209 }, "e26c0f76-2e80-445b-9e98-ab5532ccc46f": { "rule_name": "Full Disk Access Permission Check", "sha256": "e7bb1fd6bdeaf8d10f670322c516617a75eaaa78ba368b994860add677b7f488", "type": "eql", - "version": 2 + "version": 3 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "330e090e05d199d784a30dba2d9a2b95c747892566f0625825f70a6c9a46c893", "type": "query", - "version": 322 + "version": 323 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "rule_name": "Network Traffic Capture via CAP_NET_RAW", "sha256": "fab7fa210a76157c989ee04aefd0795f455e6c208c1448b2998bc869fbc08430", "type": "new_terms", - "version": 7 + "version": 8 }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { "rule_name": "Suspicious pbpaste High Volume Activity", "sha256": "10d2ec7341493ccc024bc77312d038463740052c2544a13310264eb38ec7352a", "type": "eql", - "version": 5 + "version": 6 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", "sha256": "0f802b676e0147391d3eea1fc954cdbc66de1ad2fe46885703ab67114a37fe22", "type": "query", - "version": 214 + "version": 215 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "rule_name": "System Network Connections Discovery", "sha256": "f40303a3b6fe56ee00bf1284cc98b8436149887e35ef2c1c694e84084ad8f79c", "type": "new_terms", - "version": 8 + "version": 9 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "04376f49d3990dd86495c5322be8f5874dcdbda9800cd52e23e796d938b71bff", "type": "eql", - "version": 215 + "version": 216 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "2a2acd0d225dd9d8108f917f710d14db75d681995fd899aa981695fd4099ed06", "type": "eql", - "version": 219 + "version": 220 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", "sha256": "320dce36d39b239293241a690b6787ec6882b7ecdc06c47d04b83e1b21d0242f", "type": "query", - "version": 108 + "version": 109 }, "e302e6c3-448c-4243-8d9b-d41da70db582": { "rule_name": "Potential Data Splitting Detected", "sha256": "70959d883cd0b3cf2e76630d3a39639178bb9c1f3664108165d1b139efff9d29", "type": "eql", - "version": 107 + "version": 108 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", "sha256": "060bd0e9905307e347187d0f7842f8203cb47e8722ab5137d88a4a17ee7fbf5a", "type": "eql", - "version": 319 + "version": 320 }, "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": { "rule_name": "FortiGate SSO Login Followed by Administrator Account Creation", "sha256": "cae7737dc54b6466c847d786b61bf90bd201f9da376d07c052e4788915499dab", "type": "eql", - "version": 3 + "version": 4 }, "e3bd85e9-7aff-46eb-b60e-20dfc9020d98": { "rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties", - "sha256": "a372e57ef0cef6f9c6715b56c0715f3e8ac8e1a4d65dc400f90aa6c3b39e9bfd", + "sha256": "16131654c5affdba210f70ec3c2fb8fe4f4bfa1035c942ad523946e7095ba136", "type": "esql", - "version": 8 + "version": 10 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC", "sha256": "3b98604c6f720ab440e9969e3346fc5362018681bd80872c3f4fb70111fa3f4c", "type": "query", - "version": 213 + "version": 214 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", @@ -11549,55 +11592,55 @@ "rule_name": "AWS Discovery API Calls from VPN ASN for the First Time by Identity", "sha256": "902d233527477d56bcbc2c834c105bf68b4b29cb533c1e1b99a2b114cf40f1c8", "type": "new_terms", - "version": 1 + "version": 2 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "e31a7dca3b6a465b5101c181f1b879b428da800176d02b1221220729aaf0d431", "type": "eql", - "version": 211 + "version": 212 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "rule_name": "KDE AutoStart Script or Desktop File Creation", "sha256": "86251b2eca0b5f3acf7e5da5bfb34467b59c79339df8798d4a928e1e2efc6cad", "type": "eql", - "version": 220 + "version": 221 }, "e3f5a566-df31-40cc-987c-24bc4bb94ba5": { "rule_name": "Persistence via a Hidden Plist Filename", "sha256": "e10babd2a4c59e058435d104fde73fcff04b3edff61dc053e1e33516665a6c8e", "type": "eql", - "version": 1 + "version": 2 }, "e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": { "rule_name": "SentinelOne Threat External Alerts", "sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e", "type": "query", - "version": 1 + "version": 2 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "79becf1ff7996919b22b9cac49062931ff331b772499da8b3f52b527c7dfeb78", "type": "new_terms", - "version": 111 + "version": 112 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "bdb8ba5a49e48f7068f93d065fa8dae667a8f2b828e9d74eeb56ab6119ff210b", "type": "query", - "version": 415 + "version": 416 }, "e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912": { "rule_name": "Sensitive Identity File Open by Suspicious Process via Auditd", "sha256": "374ca4536093e555bbef4ff26ebe4be6c8bcbbab2c9b655caaecca14ce351224", "type": "query", - "version": 1 + "version": 2 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "2835e011c2b091e7ca7df56076492ae247ab5a85004aa4b5799ea204433c5b33", "type": "eql", - "version": 214 + "version": 215 }, "e4feea34-3b62-4c83-b77f-018fbef48c00": { "min_stack_version": "9.2", @@ -11613,31 +11656,31 @@ "rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token", "sha256": "58839416fc9659a82bb183c3877b216b52626c83025ba5e2caffa9396998ce00", "type": "eql", - "version": 106 + "version": 107 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "23a60ea4249e0fcdf1f870c4a69bd461fdadf3f92058a07315813a7b88e72d3c", "type": "eql", - "version": 219 + "version": 220 }, "e516bf56-d51b-43e8-91ec-9e276331f433": { "rule_name": "Network Activity to a Suspicious Top Level Domain", "sha256": "7a5e47f5bd44607aa08a96e9f60e4b5e3e991f52a1a3e2ad835a3808872c2cbe", "type": "eql", - "version": 4 + "version": 5 }, "e5420ced-bc42-4783-a8df-99320567e090": { "rule_name": "Entra ID OAuth Device Code Phishing via AiTM", "sha256": "8bde43506fd1c2d1913d4fd289c639bf62d870c4fafc812c8d964ce2ebee5ee0", "type": "query", - "version": 1 + "version": 2 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "a6c636f24c7cf63487a0db4ee93fdb305a9e7766647d78bc310af47ac06f4733", "type": "query", - "version": 210 + "version": 211 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -11649,127 +11692,127 @@ "rule_name": "GitHub Authentication Token Access via Node.js", "sha256": "6a417d5d405f2f5407cee4783101473ada9b188d889fb655c65694110b02a589", "type": "eql", - "version": 4 + "version": 5 }, "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": { "rule_name": "First Time Seen DNS Query to RMM Domain", "sha256": "4572e3ea14df0faf4b8084faac4976128fcfc92c6bfc45ba262f2580675fd50c", "type": "esql", - "version": 4 + "version": 5 }, "e5f9a1b2-3c4d-4e6f-a7b8-9c0d1e2f3a4b": { "rule_name": "AWS EC2 Instance Profile Associated with Running Instance", "sha256": "226b26472af2c538610d1e0a15b1a952dd0fba90d63486b1e74c9a11f2ad4ea2", "type": "query", - "version": 1 + "version": 2 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", "sha256": "2fd375388407792fd51a8969b707aa25f45b320020108a7979676d7a7f9a867e", "type": "query", - "version": 108 + "version": 109 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", "sha256": "17b73d3e39ffba68bb956e466370e9d6eaa7ebe30fc50598af1a624b1e18229c", "type": "eql", - "version": 112 + "version": 113 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "rule_name": "Possible Okta DoS Attack", "sha256": "f9ff8587149b2afa762f584f9089d3731b0b31ba76799adcff06c4fb444ae831", "type": "query", - "version": 414 + "version": 415 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", "sha256": "048555dd2466b4a537ebc22441d66a2efefb466f5505a45d435f0319e2802734", "type": "eql", - "version": 113 + "version": 114 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "727bfa432760b50171e1894d8c8b244ab5ccfc62c5b925c757c41d179d78d45c", "type": "query", - "version": 110 + "version": 111 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", "sha256": "22885ae14d09906f786705183a0dfa366fb542f4048dbe5e5b30dc12c0ac3e22", "type": "eql", - "version": 6 + "version": 7 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "rule_name": "Execution of Persistent Suspicious Program", "sha256": "17d574e7c23e80225a66e3a65e6914c036850e0db1f4e6e732f50f3c24f8f160", "type": "eql", - "version": 212 + "version": 213 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4b20d1a797938d4bf6c8b100b8530798861aa4c34bac581498f7f945caa17d5d", "type": "eql", - "version": 313 + "version": 314 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", "sha256": "a945f7bf00629ecb400737b7b14b28993acd3c43139ce6dd8fe3d023b380a938", "type": "eql", - "version": 6 + "version": 7 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "rule_name": "Unusual Process For MSSQL Service Accounts", "sha256": "f0e1c5528f65f66b87d2190eb338e758a3f0d5b44557e8e747dbefac8ca09623", "type": "eql", - "version": 7 + "version": 8 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "f55de11949383e8ffb3a4192eecf14866875ceeaa57bde8ee624939ca76fd6be", "type": "eql", - "version": 208 + "version": 209 }, "e7856173-6489-449f-80ec-c1f5fcd7b87c": { "rule_name": "Suspicious SUID Binary Execution", "sha256": "3ab2883a81df88c4292ed8b020245160915a89cf093f6328b0214b58896d1ccd", "type": "eql", - "version": 2 + "version": 3 }, "e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b": { "rule_name": "Curl or Wget Execution from Container Context", "sha256": "3f8ae9fc98a4b5464696708a194db0dadf788ad1d2c77233c68f478030024d14", "type": "query", - "version": 2 + "version": 3 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "rule_name": "Potential Linux Credential Dumping via Unshadow", "sha256": "a04dbcb36c1f1c440b37f7cae577b3ece10b72efdbfcddb813460c826ebc9310", "type": "eql", - "version": 114 + "version": 115 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS EC2 Route Table Modified or Deleted", "sha256": "2205c6c53afda6b21954cb4f3f25c96fc5c6978dda5e38205c466147e8b8c8f4", "type": "new_terms", - "version": 213 + "version": 214 }, "e7e0588b-2b55-4f88-afd1-cf98e95e0f58": { "rule_name": "Suspicious Outbound Network Connection via Unsigned Binary", "sha256": "0cab3f24cd193b08178b94d7a007dffe133ccb4bce1d98ee99aeee1e030c00eb", "type": "eql", - "version": 2 + "version": 3 }, "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": { "rule_name": "Potential Protocol Tunneling via Yuze", "sha256": "412e9aaeeb919c12903d28a97892e212d3f62b2429054811f7956dceb7871b7d", "type": "eql", - "version": 4 + "version": 5 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", "sha256": "9dadc34c752b9bc0928030b436c8dc050e4c931a424ac3abd0aabc8c86180945", "type": "eql", - "version": 6 + "version": 7 }, "e819b7eb-c2d4-4adc-b0c9-658aeb140450": { "rule_name": "Lateral Movement Alerts from a Newly Observed User", @@ -11781,61 +11824,61 @@ "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "d84f36a2afbc144fef44ad9e64b127adac38a0aa0a79935942cc31275e6af59f", "type": "eql", - "version": 220 + "version": 221 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", "sha256": "96b67730d8ffb341e813867e0276ae18c765a4a89c3710d2963454743335821a", "type": "eql", - "version": 315 + "version": 316 }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Microsoft Graph Request Email Access by Unusual User and Client", "sha256": "afb5abbe83d85e4bfc0c4355dcb0fcdc60a91012e0ee14f6f6fc77e177fcda7a", "type": "new_terms", - "version": 6 + "version": 7 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host File System Changes via Windows Subsystem for Linux", "sha256": "d3e0d905b618b1535f2deed8102de10f9c45d79e7038e76eab62094063d444b0", "type": "eql", - "version": 114 + "version": 115 }, "e8b37f18-4804-4819-8602-4aba1169c9f4": { "rule_name": "GitHub Actions Workflow Modification Blocked", "sha256": "6938ae0fe092466ebe7a800629949a38ad4eb3da443917c54766b67839d2912d", "type": "esql", - "version": 6 + "version": 7 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", "sha256": "af263b39de7d96dc66778483b32a18131d2d78f294fccb516b20f02b3561d26a", "type": "eql", - "version": 10 + "version": 11 }, "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { "rule_name": "AWS DynamoDB Table Exported to S3", "sha256": "e9c43384f812c32ac9f5ea58d4ce394b5a607f68a6941a3949ad2dd1c8c6ed49", "type": "new_terms", - "version": 7 + "version": 8 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", "sha256": "bed94ea17205b8c891d4ddb047a885b0302d991f1f9be008ba2c8dc7e4483618", "type": "new_terms", - "version": 112 + "version": 113 }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", "sha256": "b59e0cbc56c4fb53787bc00632c6ceab167a0694f6b7fecc962d87dbbea24286", "type": "esql", - "version": 13 + "version": 14 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "bf0cca05ac39585a934fe378753788c53700f3e8756741b90086a08ec42e370c", "type": "threshold", - "version": 417 + "version": 418 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "Deprecated - AWS EC2 VM Export Failure", @@ -11857,25 +11900,25 @@ "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", "sha256": "5b22d537d80ab2e0d67e5b165b971868811ca16c1d70bb8c02f4909f50c8945d", "type": "machine_learning", - "version": 108 + "version": 109 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "d6c1aa3c45cbcc3f9d96b8f85efd889c870bb8993049a36ef372ca20e882d8c7", "type": "eql", - "version": 318 + "version": 319 }, "e9a3b2c1-d4f5-6789-0abc-def123456789": { "rule_name": "Ollama DNS Query to Untrusted Domain", "sha256": "5e3e4830d4541a4e622121b68abbd2dfd611a6127af90ffcc80d8a462369afc5", "type": "eql", - "version": 2 + "version": 3 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", "sha256": "baa994c1fe7f4dc602b62d56e07acb6a0e3752a04ab6347f182416d3ae2a0465", "type": "eql", - "version": 111 + "version": 112 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "min_stack_version": "9.4", @@ -11891,7 +11934,7 @@ "rule_name": "Spike in Remote File Transfers", "sha256": "b5fc44379578795228550e1b83eaeb9e7e0126f4ed99201198f0cefb85c52110", "type": "machine_learning", - "version": 109 + "version": 110 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -11903,13 +11946,13 @@ "rule_name": "AWS EC2 Serial Console Access Enabled", "sha256": "50914bbf617175010dadedcd2ca391ecc37c172b7ed25599aa28b3f97dd1e043", "type": "query", - "version": 3 + "version": 4 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", "sha256": "7c465669f1e16c050c57c78eaf0a6374fc5a02a2a17346e81ea0e4e1ce2aef99", "type": "query", - "version": 107 + "version": 108 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -11931,25 +11974,25 @@ "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "18f984692e2ec7a1945f11db130429aaea89ba4e32aa4187f2def7337275a873", "type": "machine_learning", - "version": 211 + "version": 212 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy", "sha256": "aa1c1625dd82eb24ec01c42ec65095f631d903642a4a3e7aed22ba4a1355b97f", "type": "threshold", - "version": 216 + "version": 217 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", "sha256": "43fbc760dbb9d213111df81edfb92ab4f4902eb6c46f5bdfe3b1f0e215a38432", "type": "machine_learning", - "version": 109 + "version": 110 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", "sha256": "0392cad4ebbd3925824fb6d7902f524c2bc25be9f9b7c642869fb070d18502d2", "type": "eql", - "version": 10 + "version": 11 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", @@ -11961,19 +12004,19 @@ "rule_name": "Telnet Authentication Bypass via User Environment Variable", "sha256": "addac13158f89b3addaf29024a1c49c9396a2f87bc029975ea1f19735fcb49ab", "type": "eql", - "version": 3 + "version": 4 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "f994e110b50cb2736e928c79c4c504229652f18fda04a1328cd19dc6f0b6eb27", "type": "query", - "version": 110 + "version": 111 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "eaa7dc28c0ba71007f9a46582afef0a8096c44e0a86adce631ad580e33bc8acc", "type": "query", - "version": 218 + "version": 219 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "rule_name": "Suspicious Network Connection Attempt by Root", @@ -11985,38 +12028,38 @@ "rule_name": "Behavior - Prevented - Elastic Defend", "sha256": "02eda12d21fbff98e95223ba0596351a3c2e483be002663151be5c250edadc69", "type": "query", - "version": 5 + "version": 6 }, "eb958cb3-dead-42b6-94ff-b9de6721fab2": { "min_stack_version": "9.3", "rule_name": "Curl SOCKS Proxy Detected via Defend for Containers", "sha256": "b1f046cc6ad9e006048ddfcacca9aa967e5c89498422580dacd3eb6f803018d1", "type": "eql", - "version": 2 + "version": 3 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", "sha256": "a983e45d426bb8f3a4ef45dfd2f57506e858af2344cca3033b44a1671fdaa745", "type": "eql", - "version": 215 + "version": 216 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "56231d3c8e57ad67eef559e631d5025fa3d21b1307ebe044ebf1101c9f679348", "type": "eql", - "version": 419 + "version": 420 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", "sha256": "15c46a24e64047ef68bd03a84b821a716b491971416ef9b02883d970c07d56c7", "type": "eql", - "version": 318 + "version": 319 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", "sha256": "bc67d00162d4bd5880558c09ba1388898c1594d83fe5d71927eaed1a8669f51e", "type": "eql", - "version": 320 + "version": 321 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "9.3", @@ -12032,13 +12075,13 @@ "rule_name": "File Execution Permission Modification Detected via Defend for Containers", "sha256": "4684363244e89ea872ffc5b25a90561dc40b3e284b58a2c4d394889bed620bf0", "type": "eql", - "version": 107 + "version": 108 }, "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": { "rule_name": "Kubernetes Forbidden Creation Request", "sha256": "09dc580af4f250fb15a73dc047af068447edce0b410ee07b9845a39184a09496", "type": "eql", - "version": 3 + "version": 4 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "M365 Exchange Inbox Forwarding Rule Created", @@ -12047,16 +12090,16 @@ "version": 213 }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { - "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", - "sha256": "33d196de5eaecf3864a3bb8ee494aaa4ee44ed5a27f25e452bcf28fa226c22dc", + "rule_name": "Suspicious Instance Metadata Service (IMDS) API Command Line Execution", + "sha256": "5dca349ec2b34ee711601e1eb5406883c80c7b9c3409d38cb345cace5c3288df", "type": "eql", - "version": 8 + "version": 10 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", "sha256": "b9cbdb757c2d5778d0c1a517bd488966edd65b3f3716a9afe62b215d97b44f5d", "type": "eql", - "version": 4 + "version": 5 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "Deprecated - AWS RDS Instance/Cluster Stoppage", @@ -12068,55 +12111,55 @@ "rule_name": "Unusual Remote File Creation", "sha256": "f29aab770fc7ef7708a96949b02b0e60282b7199951b302c2fdffbd1893bb9e9", "type": "new_terms", - "version": 7 + "version": 8 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Entra ID Global Administrator Role Assigned (PIM User)", "sha256": "7cc31a789b7c74143fda38cba04d25c2603889e20c7dcd188f4ece32bf1d1426", "type": "query", - "version": 109 + "version": 110 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", "sha256": "5da6851210dd75f83e92706270154d54c07273e615cfe18134a17e7bf4ee3969", "type": "eql", - "version": 319 + "version": 320 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "703363f0e0174c2ee80e6f77652694e5162cc28d87e1c2e204dca58e5356c34c", "type": "query", - "version": 414 + "version": 415 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "2ad58626d16eda853776294192c4b7c37d50f48d4f20496bcdbc93e9f3d61f2e", "type": "eql", - "version": 321 + "version": 322 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", "sha256": "5560af4da75f6828cfd7b29908eba789035a6a7fb66d4380dc6d4acc5ff5a967", "type": "eql", - "version": 10 + "version": 11 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "rule_name": "Okta FastPass Phishing Detection", "sha256": "6dbed41461451dc5040bb4d309300f105a9ff9e96c0e3dcf65baa67ffdd640af", "type": "query", - "version": 312 + "version": 313 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", "sha256": "680b0b509c4530e793e2e495bc660350fca76194950aca3d7499505c0eed9ade", "type": "eql", - "version": 217 + "version": 218 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", "sha256": "ed57ac9eacaf051cab3aeae3f09c0a59fdfb7eb9ca18e4ceada98adc47ac6bc6", "type": "eql", - "version": 4 + "version": 5 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", @@ -12128,13 +12171,13 @@ "rule_name": "Suspicious Execution from a WebDav Share", "sha256": "cb9ecbc855c3a9bf371ed5766b1f1a6cef2acba08494acf22942d88981b9a3c8", "type": "eql", - "version": 4 + "version": 5 }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "7a0362350bccdcf49752c63e045a43a649ae3127354129648e3ebd3c78e2b713", + "sha256": "7e94ba5f3a71b92a82127fd13074b0a47b5a195b6185a0c91e3dde09717423a4", "type": "eql", - "version": 113 + "version": 115 }, "eef9f8b5-48ec-44b5-b8bd-7b9b7d71853c": { "min_stack_version": "9.3", @@ -12150,25 +12193,25 @@ "rule_name": "Kubectl Apply Pod from URL", "sha256": "2871a014569f179baaf61a47aa3ed4dac8c9d1cdfcf046caa1f02877fa61f0fc", "type": "eql", - "version": 103 + "version": 104 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "rule_name": "BPF filter applied using TC", "sha256": "a3ca2a4019b1f9b82a42cdaa30c22e6b21138566a0f076dff76cc58ed8d5d943", "type": "eql", - "version": 215 + "version": 216 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", "sha256": "8641c7f69ff921eb91354ab0425fd0d989f5bf8bdaea934338fa5e03118cab42", "type": "eql", - "version": 113 + "version": 114 }, "ef395dff-be12-4a6e-8919-d87d627c2174": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option", "sha256": "e9dbef389b92ca88b2b526127180bb1f77f872b82ed5506e5e3531967903bfa3", "type": "eql", - "version": 5 + "version": 6 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "min_stack_version": "9.3", @@ -12184,13 +12227,13 @@ "rule_name": "Potential notify_on_release Container Escape Detected via Defend for Containers", "sha256": "fac418cef4e709d91017ce5c1eeaa17b08e05b05e91e0e7584f00c36d2c239ad", "type": "eql", - "version": 103 + "version": 104 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", "sha256": "1db39e102de230f0e5f11a6c3d8bc5633bbbb419481894a8935bb3421b5cf5c7", "type": "eql", - "version": 219 + "version": 220 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "min_stack_version": "9.4", @@ -12206,91 +12249,91 @@ "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "sha256": "71567755940d538c15fd90849caad5bf4ee4a89e0afd72f43b9ceac4f9ec3f1b", "type": "machine_learning", - "version": 108 + "version": 109 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "90d47b1e899493d89143f8cd27fabf5811ebff7fe3c0fc8cefd0ad0f234155d4", "type": "eql", - "version": 214 + "version": 215 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", "sha256": "8f7b437675b9cbd0e34995768cab78c83a9aaf0aa77c6029975fa1df36288295", "type": "eql", - "version": 113 + "version": 114 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Okta User Assigned Administrator Role", "sha256": "2fd1365685f9e79ac576991cdb849afc70a64f0b0a5704b845cb04f44a7892c1", "type": "query", - "version": 415 + "version": 416 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "sha256": "086b4d37de07398af3828f86c06b19b7daa37d14b98d16b1236a284a3e119b99", "type": "eql", - "version": 115 + "version": 116 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Diagnostic Settings Alert Suppression Rule Created or Modified", "sha256": "8b1cd77d90733f7dbd27b5fa93888a24d03bd9e802b97882331f8fd173e040cf", "type": "query", - "version": 109 + "version": 110 }, "f0cc239b-67fa-46fc-89d4-f861753a40f5": { "rule_name": "M365 or Entra ID Identity Sign-in from a Suspicious Source", - "sha256": "b018cb831bab9746612fb38c1c6080689b2ab4bb4ccfa34a88b794eb86e4b5a7", + "sha256": "12a6f5eeb93353e06ee26685e0f49e87f4447df42a8a21c140b0e7729fc41860", "type": "esql", - "version": 7 + "version": 9 }, "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { "rule_name": "dMSA Account Creation by an Unusual User", "sha256": "28416e6918e51a300324bffb33451ff11a943ec5dc6075a7cd04e1d85f4fcb07", "type": "new_terms", - "version": 5 + "version": 6 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "32ada2c4a68d705cc598de4bde5cc1be7e0516bae9dad176373243f9fc65c0c2", "type": "eql", - "version": 111 + "version": 112 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "rule_name": "Suspicious Child Execution via Web Server", "sha256": "92e68a660ef180ceb453fee81c78a5fdc2c39b9351c923d2aca6901a11f0e360", "type": "eql", - "version": 113 + "version": 114 }, "f18a474c-3632-427f-bcf5-363c994309ee": { "rule_name": "Process Capability Set via setcap Utility", "sha256": "dbc36b11a558109353c290252cfc47fa5b88768748732ceb11ed91403dd76705", "type": "eql", - "version": 106 + "version": 107 }, "f1a2b3c4-d5e6-4789-a012-3456789abc01": { "rule_name": "Kubernetes Pod Exec Potential Reverse Shell", "sha256": "c7e91f6c8b2f39082470926c780b65b578a79523ed0d2eef013c950f9b6f150a", "type": "esql", - "version": 1 + "version": 2 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", "sha256": "fa20fb477b98059cdcedc8515e55e02f1f0f705253f61f5f68683154a52bf7c8", "type": "query", - "version": 7 + "version": 8 }, "f1f3070e-045c-4e03-ae58-d11d43d2ee51": { "rule_name": "Manual Loading of a Suspicious Chromium Extension", "sha256": "ef1b596dbcc21f0ff44dd908eee0347efe6248aa5bdf14b884c61df77b777949", "type": "eql", - "version": 2 + "version": 3 }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", "sha256": "8ad36bf549c8e2d030b047008548086597c14917e95fb16824216d0b6e03fbc9", "type": "eql", - "version": 9 + "version": 10 }, "f20d1782-e783-4ed0-a0c4-946899a98a7c": { "min_stack_version": "9.4", @@ -12306,7 +12349,7 @@ "rule_name": "Unusual City For a GCP Event", "sha256": "8eb28f90d5cd908568c9a395131d2080306c30096616c06ee1c3985dbdaa83f9", "type": "machine_learning", - "version": 102 + "version": 103 }, "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": { "min_stack_version": "9.3", @@ -12319,74 +12362,74 @@ "rule_name": "Service Path Modification", "sha256": "479c0261e46fdc70b821b6577c00bdd690bec74af99f5f6a36350458a33dcaca", "type": "eql", - "version": 107 + "version": 108 }, "f246e70e-5e20-4006-8460-d72b023d6adf": { "min_stack_version": "9.3", "rule_name": "Modification of Persistence Relevant Files Detected via Defend for Containers", "sha256": "3d7e318f67c97976127e145e374accefe76ed153e63466f41c6c788e5a1ba230", "type": "eql", - "version": 2 + "version": 3 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "45f3aba3743e27c3175dc85c3bb918ef1ddeb13d337dd61d81634e7b6d7ed1ce", "type": "eql", - "version": 114 + "version": 115 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "rule_name": "Potential OpenSSH Backdoor Logging Activity", "sha256": "327423f201c4aefab10ca8e4a5e9604d884907651d4475cc37c199a277b289a8", "type": "eql", - "version": 215 + "version": 216 }, "f2a3b4c5-d6e7-4f89-a012-b3c4d5e6f789": { "rule_name": "AWS STS GetFederationToken with AdministratorAccess in Request", "sha256": "91174dba23bc43a851dead24976835e0676adbd66157638393d08f763e89f99e", "type": "query", - "version": 1 + "version": 2 }, "f2a8c4d1-6b3e-4a9f-8c2d-1e5f7a9b0c4d": { "rule_name": "Potential Privilege Escalation in Container via Runc Init", "sha256": "6fbd2f2d731383ed9178b410b4cafc180a818c0b740dd9a77422871ea17e10e1", "type": "query", - "version": 1 + "version": 2 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Detected - Elastic Defend", "sha256": "41ad2b2030986dcdd6d5acd828d369cbf10f4b53afd0cbc73f44834f48ac57aa", "type": "query", - "version": 5 + "version": 6 }, "f2c43e8c-ccf2-4eab-9e9a-e335da253773": { "rule_name": "M365 Purview Insider Risk Signal", "sha256": "7b79f31c41b50f2de307dec4edf986446644ccdd5d81087cd0d65070e5bc6841", "type": "query", - "version": 1 + "version": 2 }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", - "sha256": "fb2f06600975682327919ea6da257a7190a1e93ff582838cf3175181d49386cd", + "sha256": "6ff7d13565c3fa8aaf9cead54500dbc3dd13e124a87f2b6c7eaf2d0d528cd55f", "type": "esql", - "version": 5 + "version": 7 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", "sha256": "dd9efc0a3ffb4c20b6356fa5966046c6d5c8014667ba8d56f8028261e21cd508", "type": "eql", - "version": 316 + "version": 317 }, "f2e21713-1eac-4908-a782-1b49c7e9d53b": { "rule_name": "Kubernetes Service Account Modified RBAC Objects", "sha256": "970354cbf4c8525c8836fda8fdd3ab8f107769ab8b4d4a7c341afd376449a261", "type": "query", - "version": 3 + "version": 4 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", "sha256": "e67746f8ea85b9aebd84e067fe5be4217f8d5382337a0a23661ea8202ab92a64", "type": "eql", - "version": 316 + "version": 317 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "Deprecated - AWS RDS Instance Creation", @@ -12398,49 +12441,49 @@ "rule_name": "Google Workspace Object Copied to External Drive with App Consent", "sha256": "9d1a8b1da8853216b701b3b7ccea1089b6689b2a0de289b79746bd6a7db343f0", "type": "eql", - "version": 13 + "version": 14 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "sha256": "e86a0477a7cb46e3ade238a3b3e865a455c9ce4830f4b82a07926f3c757e1546", "type": "query", - "version": 9 + "version": 10 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", "sha256": "79000745ecb9f28c29dc37aa11e735c6fd1e2071d72b6c828cdc06293ce6d97b", "type": "eql", - "version": 218 + "version": 219 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", "sha256": "0514c676be47b85dcf14f42d8d1cdf053122f7506f0b5eef242a105e5dfe4ed1", "type": "threshold", - "version": 109 + "version": 110 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", "sha256": "6a81be3e4096d5230ed6ddb6d5e9ed0624a4404f651a9aaaee9491b33a744050", "type": "eql", - "version": 10 + "version": 11 }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", "sha256": "461cca8e6da44cb954ccd1568e0195772daa254860053359bea965b58e5b3560", "type": "esql", - "version": 11 + "version": 12 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", "sha256": "e0cd0eab0070a7deca66e3db5b6508709873263b818c68be1f560cd32e5ccbb1", "type": "new_terms", - "version": 6 + "version": 7 }, "f3ac6734-7e52-4a0d-90b7-6847bf4308f2": { "rule_name": "Web Server Potential Command Injection Request", - "sha256": "5812c308169a8a574e71c2c86b2e0de69913521b67e5d655346bf0f7e65fb092", + "sha256": "18b9d436c23a244a1c4fe534f6f95c583b675b339e0759f03ee429d00de80a5f", "type": "esql", - "version": 6 + "version": 8 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -12452,7 +12495,7 @@ "rule_name": "Remote Desktop File Opened from Suspicious Path", "sha256": "8eb6f9850d1ca4101a9c31eef37742993dbb0a0b9ea08a5e1bd5e36338f86abe", "type": "eql", - "version": 9 + "version": 10 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation", @@ -12464,37 +12507,37 @@ "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "553406e7a5fe05f12c98e908e130c595f11aad5ba24d6521b3cb95431f1220cf", "type": "eql", - "version": 314 + "version": 315 }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Pluggable Authentication Module or Configuration Creation", "sha256": "4e7927ea9ee84da27a6bc1fc12f753e2d873328a3a1f8113354afe2c2889690e", "type": "eql", - "version": 9 + "version": 10 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal", "sha256": "fae91cdc5143504077c9cc353440c3df9dc19a9fb86b257633e5cee480d0754f", "type": "query", - "version": 219 + "version": 220 }, "f4b857b3-faef-430d-b420-90be48647f00": { "rule_name": "OpenSSL Password Hash Generation", "sha256": "578fa837f0af51bf69c436d7ba2cc8d249f7fc6cfc00be5c25b0ba71b3069fa7", "type": "eql", - "version": 6 + "version": 7 }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", - "sha256": "f9eaf69ddd185f8b4c607c763db8ca5e3206d6599f48108b961d0a79fb572322", + "sha256": "a3488ceb0564d887f46fe146dad6bca90a9eb402a00ee3b6b223a4b68183c68a", "type": "esql", - "version": 7 + "version": 9 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", "sha256": "2ecc5312b7dd25b04f1124d44fdcf991f2650e3684b81ba6910730dbb18db5b7", "type": "new_terms", - "version": 7 + "version": 8 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -12506,19 +12549,19 @@ "rule_name": "Suspicious Data Encryption via OpenSSL Utility", "sha256": "6212d9d93c65c1e446bdeb51474d2abaded9566ccad6cbc8ef83ff0fed9163ac", "type": "eql", - "version": 12 + "version": 13 }, "f541ca3a-5752-11f0-b44b-f661ea17fbcd": { "rule_name": "Entra ID Sign-in TeamFiltration User-Agent Detected", "sha256": "3f339217cd8eae50f29ce9fcb9124f0a7526f85b0ad85961b8583156f1823d6d", "type": "query", - "version": 3 + "version": 4 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", "sha256": "f633d19c3abff0200df7cb8e9904664c8aac48f10ecf058e5eacbfc730a9c3d6", "type": "eql", - "version": 317 + "version": 318 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", @@ -12530,32 +12573,32 @@ "rule_name": "Rare SMB Connection to the Internet", "sha256": "7cba8d9dc86077834c99f4032ae1cfd0578a03e74b98f5af2a786a578f374476", "type": "new_terms", - "version": 214 + "version": 215 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "e2478afe8591053489cbda3bfcc55b4842a4119642e5d56d3ce788a9179b5c3f", "type": "query", - "version": 111 + "version": 112 }, "f596175f-b8fd-43ac-b9e9-ea2a96bb55d8": { "min_stack_version": "9.3", "rule_name": "Kubelet Pod Discovery Detected via Defend for Containers", "sha256": "7723c687b0c450f64a00cee36d7c3931bd7c021d6ff6833cf9c9271a2a5f42f7", "type": "eql", - "version": 2 + "version": 3 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "rule_name": "WMIC Remote Command", "sha256": "0e72674c9e5b508cb58ff78ab6d5d918767df0ff88c1a86cec3981f283555247", "type": "eql", - "version": 111 + "version": 112 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "rule_name": "Setcap setuid/setgid Capability Set", "sha256": "3000740cd69fe252c0029fb2309de620fe221dc6bdbb6873c6de6c6dec2414f9", "type": "eql", - "version": 112 + "version": 113 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "9.4", @@ -12571,56 +12614,56 @@ "rule_name": "Parent Process Detected with Suspicious Windows Process(es)", "sha256": "6087543daca9986a612585855dcfc77d192fd4a1e20ab80710f3619022cc0cc8", "type": "machine_learning", - "version": 211 + "version": 212 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", "sha256": "b8a837130b3b5d74204a8537614a5612a561e68b829c89916fbf5f67d9505c72", "type": "eql", - "version": 12 + "version": 13 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "rule_name": "Account or Group Discovery via Built-In Tools", "sha256": "dc828379a80bcd81d6d54e8910635b11a89acc59e65e859525568e856567c371", "type": "new_terms", - "version": 7 + "version": 8 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "dbf7164e7bc3f1a792a0e2ee5a048cbda99b3aed0d7af7693f32134c4bdab517", "type": "eql", - "version": 317 + "version": 318 }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", "sha256": "1dff4a3354ffb01188e7144a8483bb555136a03b278e0b3410d4233e5fd77d8b", "type": "eql", - "version": 9 + "version": 10 }, "f66a6869-d4c7-4d20-ab13-beefd03b63b4": { "min_stack_version": "9.3", "rule_name": "Environment Variable Enumeration Detected via Defend for Containers", "sha256": "4940432d89d05102af4274afb80384ca2bda0d452e0521a1afc0879a5237b699", "type": "eql", - "version": 2 + "version": 3 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "3eecb4705dfa3aca68572467da4f1e62c4ff2fa7df0aefd85aca9094d24a9f29", "type": "eql", - "version": 316 + "version": 317 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", "sha256": "08ad8ed2e2ca485401fa0335d86ab975c721be7927df7d41f56076abb95d7db6", "type": "eql", - "version": 111 + "version": 112 }, "f6a0b2c3-4d5e-4f7a-8b9c-0d1e2f3a4b5c": { "rule_name": "AWS KMS Key Policy Updated via PutKeyPolicy", "sha256": "823e0533246b6570195a0c0456c4cbbe2a722ac375ce8f8b0c850026c5bdb314", "type": "query", - "version": 1 + "version": 2 }, "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "min_stack_version": "9.2", @@ -12636,49 +12679,49 @@ "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", "sha256": "c07fa7fae81922d04accf363a9e78642676d26e8aee182c0560cf0824f2ac45d", "type": "new_terms", - "version": 109 + "version": 110 }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", "sha256": "e9712cbae119495bbc148f3c7ddb66a6c11d34127865165f2a9572d6ecdff0ba", "type": "esql", - "version": 12 + "version": 13 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", "sha256": "55de9b4b300ea2acb263f1cc4cbed9585e7669be566e58e1fa22c6db3d9e7a9c", "type": "query", - "version": 4 + "version": 5 }, "f754e348-f36f-4510-8087-d7f29874cc12": { "rule_name": "AWS Sign-In Token Created", "sha256": "b4f3c7bb4e908abc5172e54beffa1e362454012ebbc480fe2d7ce71b7112cd71", "type": "query", - "version": 2 + "version": 3 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "rule_name": "System Hosts File Access", "sha256": "e74aea796502decaa57c31bdfcbbb1fd65f68a826f3c3e1f3f6fdf7cb458fa3b", "type": "eql", - "version": 7 + "version": 8 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Entra ID Service Principal Credentials Created by Unusual User", "sha256": "6e45ed34b41c65dea5f26b4fd76c9a2d93cd04c869ff1233f8c9f818ae8ea9fb", "type": "new_terms", - "version": 110 + "version": 111 }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", - "sha256": "18fe52692212c76a8aa0b987ba3acfd8a6000f9c822bed35cf9ff4813f183040", + "sha256": "d2074c011da999162852d4382bbc9a7904cb9936643600eff6a4a08765cc5d7a", "type": "esql", - "version": 6 + "version": 7 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "79d4a35620619779083ee70524a8ef1682a27632b98289f7456caa69d6568239", "type": "query", - "version": 214 + "version": 215 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "min_stack_version": "9.3", @@ -12694,110 +12737,110 @@ "rule_name": "SSH Authorized Key File Activity Detected via Defend for Containers", "sha256": "14f95ad2256fe5d602c0c02461a1ad0140159a49d4af60382a20a6d2511f1cfd", "type": "eql", - "version": 106 + "version": 107 }, "f7a131f8-44b7-4957-99a4-e6c54d93d816": { "rule_name": "Potential Kubeletctl Execution", "sha256": "89f8d852aa107f4487eef99b1e6a9d81950c954a0b6533b2f283a5dfdd9a07e5", "type": "eql", - "version": 1 + "version": 2 }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", "sha256": "0df65b003548a28c9f18c010d2dd59a06433f01121e7a155c496e0b44d3cb6c1", "type": "new_terms", - "version": 6 + "version": 7 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "27b911863a0e93338b177cb55bbbcb19a306892e7f2ec0d6e264e1ae71959810", "type": "eql", - "version": 318 + "version": 319 }, "f7c64a1b-9d00-4b92-9042-d3bb4196899a": { "min_stack_version": "9.3", "rule_name": "Service Account Namespace Read Detected via Defend for Containers", "sha256": "9f57c86383c5c1b1e2b9f7f6640f0c0651119f9ae170973ee430a1280981cecc", "type": "eql", - "version": 3 + "version": 4 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "rule_name": "Potential Privilege Escalation via Linux DAC permissions", "sha256": "273a68b602a7b719ceb9864ebcbbf2d46da699434458da9c37a16b290bdcd808", "type": "new_terms", - "version": 8 + "version": 9 }, "f7d588ba-e4b0-442e-879d-7ec39fbd69c5": { "rule_name": "Potential SAP NetWeaver WebShell Creation", "sha256": "1ec092ad267fde831ed0f6df37ec577f9d2275d7956117a0052e4eb35ee7068d", "type": "eql", - "version": 2 + "version": 3 }, "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": { "rule_name": "AWS Suspicious User Agent Fingerprint", "sha256": "27d2eb5e6870d7c227dd3a411c07293fecb8f8f2f775777480a7dd0e02bc409d", "type": "eql", - "version": 5 + "version": 6 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "e1093b274ee488b7ae91e618e9198f2f5fbb2e38c105ebe0d065545ffadd5cf9", "type": "eql", - "version": 316 + "version": 317 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "sha256": "944482376711795146b91fa8d586f565364c9cab3cf94481924fb5d7128846c4", "type": "eql", - "version": 110 + "version": 111 }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", "sha256": "ab72bdf494ad1fe2b76321bce5c7385b100ac9456193bbd02076b9162c828500", "type": "eql", - "version": 10 + "version": 11 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "01d3cd8eb31e61543055122ffea2e86a0bf0f5be3388459c2f465a0301c572cb", "type": "eql", - "version": 317 + "version": 318 }, "f87e6122-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Prevented - Elastic Defend", "sha256": "5f0651f7f44774e085a9b994162b48004c1a1ea83463576e78763c92ceecb71b", "type": "query", - "version": 5 + "version": 6 }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "rule_name": "Potential Active Directory Replication Account Backdoor", "sha256": "8b8cfdc1b6e853232d72a002e0d118a07d7b24e93ac97350d75f63492b64600f", "type": "query", - "version": 111 + "version": 112 }, "f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10": { "rule_name": "Kubernetes Secret get or list from Node or Pod Service Account", "sha256": "54c8912357a44e55f6e5f02a278d9037893b4919c7b4af99370d5049ef288546", "type": "query", - "version": 2 + "version": 3 }, "f909075d-afc7-42d7-b399-600b94352fd9": { "rule_name": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent", "sha256": "1f3539efa4a2f15732756c9d225c458db94a94e3e76db2e5e75c56fc4ef25b98", "type": "eql", - "version": 107 + "version": 108 }, "f92171ed-a4d3-4baa-98f9-4df1652cb11b": { "rule_name": "Potential Secret Scanning via Gitleaks", "sha256": "4861674e448f597aa53a76a1d592c4eeeeb880c7a635868424b52dbd07885f11", "type": "eql", - "version": 3 + "version": 4 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "17321d3d74af2ddb12d9920ceb84fd2b8ca8e772fcb350e32526d5c46c5672c8", "type": "new_terms", - "version": 208 + "version": 209 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "9.4", @@ -12813,49 +12856,49 @@ "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "b6a7707b778a054c85270746ef3d0855539421ee3103f6c883ea68097524173b", "type": "machine_learning", - "version": 208 + "version": 209 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", "sha256": "8f1a587012787e08bd7b994c54b371e5ff8d27a2cf4b52b93f0541c8eeb0a2a5", "type": "eql", - "version": 13 + "version": 14 }, "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": { "rule_name": "Okta Admin Console Login Failure", "sha256": "3677a7454991a183ca50685f05c67cfbb7ab40cf6d1228854c5bc90678c5ed52", "type": "query", - "version": 2 + "version": 3 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "rule_name": "Browser Extension Install", "sha256": "db212e9bc4d6e1742a38a366ddb3b13939e0bbe4e792978053b32dc4fafbcd64", "type": "eql", - "version": 210 + "version": 211 }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", "sha256": "38bd2f9e10713d14fe22bca802a8451930bea026c19babeddec2c1c26e14a9ab", "type": "esql", - "version": 10 + "version": 11 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Accounts Brute Force", "sha256": "8afcd5fb546282c618329fe4b5405930b900d0c5f91b6a3894ab8f38df780dbd", "type": "esql", - "version": 119 + "version": 120 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "3f42d9f4d6c683fa8e24940e81e098732937f7c261ff50f3c743c37d18f8492d", "type": "query", - "version": 413 + "version": 414 }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", "sha256": "9fc867fa956909614f0c374d0eef744aaa01a9f0bc9c8c4cb346e4abe5b2e9f0", "type": "esql", - "version": 12 + "version": 13 }, "f9de0949-94d8-441d-ae9a-8eb1e040acf2": { "rule_name": "Newly Observed Process Exhibiting High CPU Usage", @@ -12867,67 +12910,67 @@ "rule_name": "Remote File Copy to a Hidden Share", "sha256": "703a7a28c0e9d60ac345d7ff3b528565b332ae1f6e8e959878c741327fbc0108", "type": "eql", - "version": 320 + "version": 321 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", "sha256": "9731338ba3f551d2349c7c13e09c98d974880b06e1b03a55ee03454295de4adb", "type": "eql", - "version": 11 + "version": 12 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "rule_name": "Potential Reverse Shell via Suspicious Binary", "sha256": "75eae6a378cd9de230df241678954eca014909ff202bd7530fd66caad62920c5", "type": "eql", - "version": 13 + "version": 14 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "339af3c6decf44171d39eb6af3fe6a811d9c725f06886ed9865a5eabd9310f8d", "type": "eql", - "version": 321 + "version": 322 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", "sha256": "2f19b753f33613c744acac5ad08008b53e8791926ce4f2e512d8f9d0738fe054", "type": "eql", - "version": 113 + "version": 114 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", "sha256": "e1b06ffe4e33874ed8e0700e601b69f3c9138637316c92d5c31067e7384a7006", "type": "eql", - "version": 110 + "version": 111 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", "sha256": "d3f5c7183ddff278c200bf2ed689942fb3e756bea5404573d607b22e0d90da44", "type": "eql", - "version": 212 + "version": 213 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "bf668bb17c3ea7604e554f63825a99d9153ff36affd8b4b9ebb087cba806ff0f", "type": "threshold", - "version": 209 + "version": 210 }, "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { "rule_name": "Azure OpenAI Insecure Output Handling", - "sha256": "6d7efa2625569a818bc649d0e39b3174fdce1739aa2da7102b945a217e3912e6", + "sha256": "799952ea9ded7fa71e9d842e3a27b248bc6c4d49ac83aa56949ca1bd6d6447df", "type": "esql", - "version": 5 + "version": 7 }, "fb3ca230-af4e-11f0-900d-f661ea17fbcc": { "rule_name": "Okta Multiple OS Names Detected for a Single DT Hash", "sha256": "e00405635f604093c0a8a65f92aa45f3a61a087ba4372ea7b1d6a2b5e06d486a", "type": "threshold", - "version": 1 + "version": 2 }, "fb542346-1624-4cf2-bcc7-c68abaab261b": { "rule_name": "Kernel Instrumentation Discovery via kprobes and tracefs", "sha256": "b7658647fd18f717cf27e94dc7503078ad59c72e1477332c507001cd361c4b10", "type": "eql", - "version": 2 + "version": 3 }, "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { "min_stack_version": "9.4", @@ -12943,13 +12986,13 @@ "rule_name": "Unusual Group Name Accessed by a User", "sha256": "667f169cd9b1cccf4aea8c89b3535d32676adf3648fb6ec26bd809d1a57539e4", "type": "machine_learning", - "version": 104 + "version": 105 }, "fb8790fc-d485-45e2-8d6e-2fb813f4af95": { "rule_name": "Dylib Injection via Process Environment Variables", "sha256": "3da41c31ba94d685cd75f85322328359014c5be38f21ccf09593a68bf338b641", "type": "eql", - "version": 2 + "version": 3 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -12961,7 +13004,7 @@ "rule_name": "Potential Fake CAPTCHA Phishing Attack", "sha256": "57236fd56cbb9d847b89d0f3dabc3067acac43e780f46d94437f5c0cbc3599fd", "type": "eql", - "version": 4 + "version": 5 }, "fbb10f1e-77cb-42f9-994e-5da17fc3fc15": { "min_stack_version": "9.4", @@ -12977,49 +13020,49 @@ "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", "sha256": "2a0c28333cbc2b59a754048dac4ba1ba85e1e32f9407e91291bbe69a9abbcf5d", "type": "machine_learning", - "version": 104 + "version": 105 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", "sha256": "992873866168b6dc2174c2626fb35218105596756c2e0301459d4c664ae9ea8d", "type": "query", - "version": 212 + "version": 213 }, "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { "rule_name": "Process Started with Executable Stack", "sha256": "fd1e26f5a72a073b0f04248104e8a153e66925a0edbac78669638790918671c2", "type": "query", - "version": 6 + "version": 7 }, "fc552f49-8f1c-409b-90f8-6f5b9869b6c4": { "rule_name": "Elastic Defend Alert Followed by Telemetry Loss", "sha256": "67f6095aaaf71d37cb9ae1e5b587093cea6fa579d3654a9353068eb9b0edef4d", "type": "eql", - "version": 3 + "version": 4 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "b9b40ca0af3b9ae7237ee58b9db28fdb68df1dc944e6582fc0cf91ee188b4e5d", "type": "eql", - "version": 315 + "version": 316 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "b75dda67fd9da77f1320ea7c94c736e499c45243b2d3a1f0775caeca732cf753", "type": "new_terms", - "version": 208 + "version": 209 }, "fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": { "rule_name": "Proxy Execution via Console Window Host", "sha256": "da23ef37ab245220584b0229ede378558147536d721124480c11f605078401a3", "type": "eql", - "version": 4 + "version": 5 }, "fcd2e4be-6ec4-482f-9222-6245367cd738": { "rule_name": "M365 Identity OAuth Flow by User Sign-in to Device Registration", "sha256": "61bd95935880280101cb47357cfba9fda77a633cad787f7e0f4983dcf66fccf7", "type": "eql", - "version": 4 + "version": 5 }, "fcf18de8-ad7d-4d01-b3f7-a11d5b3883af": { "rule_name": "Threat Intel Email Indicator Match", @@ -13031,25 +13074,25 @@ "rule_name": "User or Group Creation/Modification", "sha256": "2d62847cab8c33a052e502836ad121caf86f64b238197c9a1b2938d4e27c5f5e", "type": "eql", - "version": 8 + "version": 9 }, "fd00769d-b18d-450a-a844-7a9f9c71995e": { "rule_name": "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount", "sha256": "84051400b1ae5421cfb0710d08885fc6ccb194cced886576497e63909acfa9c9", "type": "query", - "version": 2 + "version": 3 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", "sha256": "eec1892d492dc25cab5480d300e33e9aac87bcbb4386d100cab35cb223d38ce6", "type": "eql", - "version": 209 + "version": 210 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", "sha256": "74a0ff1c1a288bfbe8134ef5390dc9c7a9081b9e769c155809243aa52e7bd168", "type": "new_terms", - "version": 9 + "version": 10 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -13061,49 +13104,49 @@ "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "ef85670df7af1d67434ee4a084dae6785d63ea6fad1da9fed5bfefceaed92178", "type": "eql", - "version": 319 + "version": 320 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Suspicious CertUtil Commands", "sha256": "33778ead57b302d2250b723cf23c47fec7f96b8dcff8dfd99fc8f806e4ed0484", "type": "eql", - "version": 318 + "version": 319 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", "sha256": "17b5ec1f17eb3bdc6ba867893df9d9201b1818c50d9896f84da7c3d4c94db588", "type": "new_terms", - "version": 428 + "version": 429 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", "sha256": "03745c7178dcf6374257634aeffef34bd5009ab9b52fbd8e2dd6d77b57ba1a47", "type": "eql", - "version": 4 + "version": 5 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", "sha256": "c20425759c10146a7e712fece38e597058b1970b880b8dc01d9683d931348140", "type": "eql", - "version": 18 + "version": 19 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "44814458fede28b8e96ffe4731862abd5077e5562e02d387ad816b812454f814", "type": "query", - "version": 113 + "version": 114 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "4f61d5a4d2aea076af8a4b48cd80ffa83a42e7c5bc8144c04f396ba5571cb1ac", "type": "query", - "version": 112 + "version": 113 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", "sha256": "49ad33faa96836050c4fe6962330a51b2947b18372a2c7614579d27da4012c4f", "type": "eql", - "version": 320 + "version": 321 }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { "min_stack_version": "9.4", @@ -13119,43 +13162,43 @@ "rule_name": "Spike in host-based traffic", "sha256": "907d81f3a0d242ae72cb95a3525f28b646be7b2537e8437b213254a0e2ac1660", "type": "machine_learning", - "version": 105 + "version": 106 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", "sha256": "889fbc6f1fe7867a60c30e0988ce0a1ecca3b10ed4d68247409e0bbb156e228a", "type": "eql", - "version": 11 + "version": 12 }, "feba48f6-40ca-4d04-b41f-5dfa327de865": { "rule_name": "Data Encrypted via OpenSSL Utility", "sha256": "6d5bc57ab69832dcf1fceb1113c15bd50ef32043aeac5c753aa45d8ef84fb133", "type": "eql", - "version": 2 + "version": 3 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", "sha256": "e5501cb17cf5fe1cb22ce9ae6e8396575c212a05d10b7f191f96bde4173277f8", "type": "eql", - "version": 5 + "version": 6 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "51805a54ccba7e11dd5249f3383c0faa260594148db400d814d4112d22e5b4ae", "type": "eql", - "version": 313 + "version": 314 }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", "sha256": "d2d8d9adc0b0a1e18a247c5c551721be0f8dae7e8136df787c2c7c7b44f86070", "type": "eql", - "version": 6 + "version": 7 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "b271213c5408f3105b6c293a194441c0a6ee0a8f56895b6c8b5d514a45f29206", "type": "query", - "version": 108 + "version": 109 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "min_stack_version": "9.4", @@ -13171,72 +13214,72 @@ "rule_name": "Potential DGA Activity", "sha256": "1892ab19dfbba7c5209d5416fac24916cec60b288ae4bbe9f0dfcad7fbb548ad", "type": "machine_learning", - "version": 109 + "version": 110 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", "sha256": "911f2754934b26787ef6ce346dd060a5ff237c442db717002c7f6c6d0678ec96", "type": "eql", - "version": 19 + "version": 20 }, "ff18d24b-2ba6-4691-a17f-75c4380d0965": { "rule_name": "Suspicious JavaScript Execution via Deno", "sha256": "102528b0ebeaf11552f09f3c90c9140833eba1c358f9aa8242bda4fd27742849", "type": "eql", - "version": 4 + "version": 5 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", "sha256": "b1c612a39634c76d3859749ffcf4a66830efa742e42ac76353710085e9a89c75", "type": "eql", - "version": 8 + "version": 9 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", "sha256": "e8c9c0b5687e154282e78e10cc4a216bb48980b43eb31f266ae4bdbb91e37781", "type": "esql", - "version": 19 + "version": 20 }, "ff46eb26-0684-4da3-9dd6-21032c9878e1": { "rule_name": "Active Directory Discovery using AdExplorer", "sha256": "e2bc14f1daa81650bb1547ff4439ba2e4f96fe3959eff2fe3d7e6aa1f47e84bd", "type": "eql", - "version": 3 + "version": 4 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "M365 Exchange Mail Flow Transport Rule Created", "sha256": "3af2c69e8e417302ef11f5cad05379d42ead8135a8bb69dbf6e400195e16d2e0", "type": "query", - "version": 213 + "version": 214 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "156d6c92921c8a78a426d13399acfc82335279f41bb1ca1b3b514f78e2d95be0", "type": "eql", - "version": 206 + "version": 207 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", "sha256": "2d21b1f06254849904bc0f96312aaddd5dbde583bae425bbb2b4e8cd08c5977c", "type": "query", - "version": 109 + "version": 110 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "fd78dc142d1cddc2c1b468082eba4a5caf404e211bf2b2fb770e0bb2218f5810", "type": "eql", - "version": 112 + "version": 113 }, "ffa676dc-09b0-11f0-94ba-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Top Level Domain", "sha256": "6fae13669a71fb69141b56f8ea1faa51ec5717011111ca52cae34917ddc408ce", "type": "new_terms", - "version": 3 + "version": 4 }, "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": { "rule_name": "Suspicious TCC Access Granted for User Folders", "sha256": "d7c925205ac4209a78c8c60e52b5ad975f5ca3a956f42e12337fa8dfa1035e98", "type": "esql", - "version": 3 + "version": 4 } } \ No newline at end of file diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 4476caea191..4ce4524e3ba 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -8,8 +8,9 @@ import fnmatch import gzip import json -from collections import OrderedDict, defaultdict +from collections import defaultdict from collections.abc import Iterator +from dataclasses import dataclass from pathlib import Path from typing import TYPE_CHECKING, Any @@ -244,36 +245,141 @@ def _satisfies_kibana_range(stack: Version, version_requirement: str) -> bool: return any(lo <= stack and (hi is None or stack < hi) for lo, hi in _parse_kibana_range(version_requirement)) -def find_least_compatible_version( - package: str, - integration: str, - current_stack_version: str, - packages_manifest: dict[str, Any], -) -> str: - """Finds least compatible version for specified integration based on stack version supplied.""" - integration_manifests = dict(sorted(packages_manifest[package].items(), key=lambda x: Version.parse(x[0]))) - stack_version = Version.parse(current_stack_version, optional_minor_and_patch=True) - - # filter integration_manifests to only the latest major entries +def _major_has_compatible_stack(major: int, version_requirement: str) -> bool: + """Return True iff the Kibana range overlaps some stack in ``[major.0.0, (major+1).0.0)``.""" + major_lo = Version(major, 0, 0) + major_hi = Version(major + 1, 0, 0) + for lo, hi in _parse_kibana_range(version_requirement): + if lo < major_hi and (hi is None or hi > major_lo): + return True + return False + + +def _stack_majors_supported_by_package(integration_manifests: dict[str, Any]) -> set[int]: + """Collect Kibana stack majors that any manifest in the package can serve.""" + stack_majors: set[int] = set() + for manifest in integration_manifests.values(): + version_requirement = manifest["conditions"]["kibana"]["version"] + for lo, _hi in _parse_kibana_range(version_requirement): + if _major_has_compatible_stack(lo.major, version_requirement): + stack_majors.add(lo.major) + return stack_majors + + +def _anchor_for_aligned_integration_major( + major: int, + integration_manifests: dict[str, Any], +) -> str | None: + """Oldest integration version in ``major`` whose Kibana range overlaps ``[major, major+1)``.""" + major_manifests = { + version: manifest + for version, manifest in integration_manifests.items() + if Version.parse(version).major == major + } + for version, manifest in sorted(major_manifests.items(), key=lambda x: Version.parse(x[0])): + version_requirement = manifest["conditions"]["kibana"]["version"] + if _major_has_compatible_stack(major, version_requirement): + return version + return None + + +def _find_least_compatible_for_stack( + stack_version: Version, + integration_manifests: dict[str, Any], +) -> str | None: + """Stack-dependent least compatible integration version (pre-#5601 behavior).""" major_versions = sorted( {Version.parse(manifest_version).major for manifest_version in integration_manifests}, reverse=True, ) for max_major in major_versions: major_integration_manifests = { - k: v for k, v in integration_manifests.items() if Version.parse(k).major == max_major + version: manifest + for version, manifest in integration_manifests.items() + if Version.parse(version).major == max_major } - - # iterates through ascending integration manifests - # returns latest major version that is least compatible - for version, manifest in OrderedDict( - sorted(major_integration_manifests.items(), key=lambda x: Version.parse(x[0])) - ).items(): + for version, manifest in sorted(major_integration_manifests.items(), key=lambda x: Version.parse(x[0])): version_requirement = manifest["conditions"]["kibana"]["version"] if _satisfies_kibana_range(stack_version, version_requirement): - return f"^{version}" + return version + return None - raise ValueError(f"no compatible version for integration {package}:{integration}") + +def _representative_stack_version(stack_major: int) -> Version: + """Representative stack version used to resolve unaligned integration majors.""" + return Version(stack_major, 19, 0) + + +@dataclass(frozen=True) +class CompatibleVersionRange: + """Stack-invariant related integration compatibility range.""" + + range: str + anchors: list[str] + forward_anchor: str + + +def find_compatible_version_range( + package: str, + packages_manifest: dict[str, Any], +) -> CompatibleVersionRange: + """Return a stack-invariant OR'd caret range for ``related_integrations.version``. + + Emits one ``^X.Y.Z`` anchor per stack line the integration package supports, plus a + forward-looking ``^(top_major + 1).0.0`` anchor. Integration majors aligned with Kibana + stack majors (e.g. endpoint 8.x / 9.x) use manifest overlap on ``[M, M+1)``; other + packages resolve additional stack lines via the legacy stack walk. + """ + package_manifest = packages_manifest.get(package) + if package_manifest is None: + raise ValueError(f"Package {package} not found in manifest.") + + integration_manifests = dict(sorted(package_manifest.items(), key=lambda x: Version.parse(x[0]))) + integration_majors = {Version.parse(version).major for version in integration_manifests} + stack_majors = _stack_majors_supported_by_package(integration_manifests) + + if not stack_majors: + raise ValueError(f"no compatible version for integration package {package}") + + aligned_by_major = { + major: anchor + for major in sorted(integration_majors) + if (anchor := _anchor_for_aligned_integration_major(major, integration_manifests)) is not None + } + aligned_min_major = min(aligned_by_major) if aligned_by_major else None + + if aligned_min_major is not None: + effective_stack_majors = sorted(stack_major for stack_major in stack_majors if stack_major >= aligned_min_major) + else: + effective_stack_majors = sorted( + stack_major for stack_major in stack_majors if stack_major >= max(stack_majors) - 1 + ) + + anchors: list[str] = [] + for stack_major in effective_stack_majors: + if stack_major in aligned_by_major: + anchor = aligned_by_major[stack_major] + elif stack_major in integration_majors: + anchor = _anchor_for_aligned_integration_major(stack_major, integration_manifests) + else: + anchor = _find_least_compatible_for_stack( + _representative_stack_version(stack_major), + integration_manifests, + ) + if anchor and anchor not in anchors: + anchors.append(anchor) + + if not anchors: + raise ValueError(f"no compatible version for integration package {package}") + + top_major = max(Version.parse(anchor).major for anchor in anchors) + forward_anchor = f"{top_major + 1}.0.0" + range_parts = [f"^{anchor}" for anchor in anchors] + [f"^{forward_anchor}"] + return CompatibleVersionRange( + range=" || ".join(range_parts), + anchors=anchors, + forward_anchor=forward_anchor, + ) def find_latest_compatible_version( diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 28de81b9bb1..2d4a0162266 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -32,7 +32,7 @@ from .esql import get_esql_query_event_dataset_integrations from .esql_errors import EsqlSemanticError from .integrations import ( - find_least_compatible_version, + find_compatible_version_range, get_integration_schema_fields, load_integrations_manifests, load_integrations_schemas, @@ -1428,7 +1428,6 @@ def _convert_add_related_integrations(self, obj: dict[str, Any]) -> None: if not package_integrations and self.metadata.integration: packages_manifest = load_integrations_manifests() - current_stack_version = load_current_package_version() if self.check_restricted_field_version(field_name) and isinstance( self.data, QueryRuleData | MachineLearningRuleData @@ -1446,22 +1445,19 @@ def _convert_add_related_integrations(self, obj: dict[str, Any]) -> None: return for package in package_integrations: - package["version"] = find_least_compatible_version( + result = find_compatible_version_range( package=package["package"], - integration=package["integration"], - current_stack_version=current_stack_version, packages_manifest=packages_manifest, ) + package["version"] = result.range - # if integration is not a policy template remove - if package["version"]: - version_data = packages_manifest.get(package["package"], {}).get( - package["version"].strip("^"), {} - ) - policy_templates = version_data.get("policy_templates", []) + policy_templates: set[str] = set() + for anchor in result.anchors: + version_data = packages_manifest.get(package["package"], {}).get(anchor, {}) + policy_templates.update(version_data.get("policy_templates", [])) - if package["integration"] not in policy_templates: - del package["integration"] + if package["integration"] not in policy_templates: + del package["integration"] # remove duplicate entries package_integrations = list({json.dumps(d, sort_keys=True): d for d in package_integrations}.values()) diff --git a/tests/test_integrations.py b/tests/test_integrations.py index aafd5fea869..193d9e4d05b 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -13,8 +13,8 @@ _parse_clause, _parse_kibana_range, _satisfies_kibana_range, + find_compatible_version_range, find_latest_compatible_version, - find_least_compatible_version, ) @@ -215,45 +215,88 @@ def test_unknown_package_raises(self): find_latest_compatible_version("missing", "missing", Version(9, 1, 0), {}) -class TestFindLeastCompatibleVersion(unittest.TestCase): - """Behavior coverage for ``find_least_compatible_version``.""" +class TestFindCompatibleVersionRange(unittest.TestCase): + """Behavior coverage for ``find_compatible_version_range``.""" - def test_picks_oldest_compatible_in_latest_major(self): - """Returns the oldest manifest in the latest major whose range admits the stack.""" + def test_emits_or_range_across_majors(self): + """Emits oldest anchor per major plus a forward-looking next-major anchor.""" manifests = { "pkg": { - "1.0.0": _manifest("^8.12.0"), - "1.5.0": _manifest("^8.12.0"), - "2.0.0": _manifest("^9.0.0"), - "2.1.0": _manifest("^9.1.0"), - "2.5.0": _manifest("^9.1.0"), + "1.0.0": _manifest("^1.0.0"), + "1.5.0": _manifest("^1.5.0"), + "2.0.0": _manifest("^2.0.0"), + "2.5.0": _manifest("^2.1.0"), } } - # 2.0.0 (^9.0.0) is the oldest 9.x manifest that admits a 9.1.0 stack. - self.assertEqual(find_least_compatible_version("pkg", "pkg", "9.1.0", manifests), "^2.0.0") + result = find_compatible_version_range("pkg", manifests) + self.assertEqual(result.range, "^1.0.0 || ^2.0.0 || ^3.0.0") + self.assertEqual(result.anchors, ["1.0.0", "2.0.0"]) + self.assertEqual(result.forward_anchor, "3.0.0") - def test_no_compatible_in_any_major_raises(self): - """When neither the latest nor any prior major admits the stack, raise.""" + def test_stack_invariance(self): + """Range result does not depend on build stack version.""" manifests = { "pkg": { - "1.0.0": _manifest("^8.12.0"), - "2.0.0": _manifest("^9.4.0"), + "1.0.0": _manifest("^1.0.0"), + "2.0.0": _manifest("^2.0.0"), } } - with self.assertRaises(ValueError): - find_least_compatible_version("pkg", "pkg", "9.1.0", manifests) + first = find_compatible_version_range("pkg", manifests) + second = find_compatible_version_range("pkg", manifests) + self.assertEqual(first, second) + + def test_single_major_appends_forward_anchor(self): + """A single integration major still appends the forward-looking anchor.""" + manifests = {"pkg": {"9.0.0": _manifest("^9.0.0")}} + result = find_compatible_version_range("pkg", manifests) + self.assertEqual(result.range, "^9.0.0 || ^10.0.0") + self.assertEqual(result.anchors, ["9.0.0"]) + self.assertEqual(result.forward_anchor, "10.0.0") + + def test_three_majors_endpoint_shape(self): + """Synthetic endpoint-like majors mirror the #5601 reproducer shape.""" + manifests = { + "endpoint": { + "7.17.0": _manifest("^7.17.0"), + "8.2.0": _manifest("^8.2.0"), + "9.0.0": _manifest("^9.0.0"), + } + } + result = find_compatible_version_range("endpoint", manifests) + self.assertEqual(result.range, "^7.17.0 || ^8.2.0 || ^9.0.0 || ^10.0.0") + self.assertEqual(result.anchors, ["7.17.0", "8.2.0", "9.0.0"]) + self.assertEqual(result.forward_anchor, "10.0.0") - def test_cross_major_fallback(self): - """Falls back to an earlier major when the latest major is incompatible.""" + def test_skips_majors_with_no_overlap(self): + """Majors without stack overlap are omitted from anchors.""" manifests = { "pkg": { - "1.0.0": _manifest("^8.12.0"), - "2.0.0": _manifest("^9.4.0"), + "7.10.0": _manifest("^7.10.0"), + "9.4.0": _manifest("=9.4.0"), } } - self.assertEqual(find_least_compatible_version("pkg", "pkg", "8.12.0", manifests), "^1.0.0") + result = find_compatible_version_range("pkg", manifests) + self.assertEqual(result.range, "^7.10.0 || ^9.4.0 || ^10.0.0") + self.assertEqual(result.anchors, ["7.10.0", "9.4.0"]) - def test_or_clause(self): - """OR'd clauses are honored by the least-compatible search.""" - manifests = {"pkg": {"1.0.0": _manifest("^8.12.0 || ^9.0.0")}} - self.assertEqual(find_least_compatible_version("pkg", "pkg", "9.1.0", manifests), "^1.0.0") + def test_raises_when_no_compatible_major(self): + """When no stack line can be resolved, raise.""" + manifests = { + "pkg": { + "1.0.0": _manifest(">=99.0.0 <99.0.0"), + } + } + with self.assertRaises(ValueError): + find_compatible_version_range("pkg", manifests) + + def test_returns_anchor_list_for_policy_template_lookup(self): + """Anchors and forward anchor are exposed for policy template union.""" + manifests = { + "pkg": { + "1.0.0": _manifest("^1.0.0"), + "2.0.0": _manifest("^2.0.0"), + } + } + result = find_compatible_version_range("pkg", manifests) + self.assertEqual(result.anchors, ["1.0.0", "2.0.0"]) + self.assertEqual(result.forward_anchor, "3.0.0") diff --git a/tests/test_integrations_version_performance.py b/tests/test_integrations_version_performance.py new file mode 100644 index 00000000000..f0691bce739 --- /dev/null +++ b/tests/test_integrations_version_performance.py @@ -0,0 +1,105 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +"""Opt-in performance comparison for related integration version resolution.""" + +import os +import statistics +import timeit +import unittest +from collections import OrderedDict +from typing import Any + +from semver import Version + +from detection_rules.config import load_current_package_version +from detection_rules.integrations import find_compatible_version_range, load_integrations_manifests + + +def _benchmark_find_least_compatible_version( + package: str, + integration: str, + current_stack_version: str, + packages_manifest: dict[str, Any], +) -> str: + """Snapshot of pre-#5601 ``find_least_compatible_version`` for benchmarking only.""" + from detection_rules.integrations import _satisfies_kibana_range + + integration_manifests = dict(sorted(packages_manifest[package].items(), key=lambda x: Version.parse(x[0]))) + stack_version = Version.parse(current_stack_version, optional_minor_and_patch=True) + + major_versions = sorted( + {Version.parse(manifest_version).major for manifest_version in integration_manifests}, + reverse=True, + ) + for max_major in major_versions: + major_integration_manifests = { + k: v for k, v in integration_manifests.items() if Version.parse(k).major == max_major + } + + for version, manifest in OrderedDict( + sorted(major_integration_manifests.items(), key=lambda x: Version.parse(x[0])) + ).items(): + version_requirement = manifest["conditions"]["kibana"]["version"] + if _satisfies_kibana_range(stack_version, version_requirement): + return f"^{version}" + + raise ValueError(f"no compatible version for integration {package}:{integration}") + + +@unittest.skipUnless(os.environ.get("RUN_INTEGRATION_PERF"), "set RUN_INTEGRATION_PERF=1 to run") +class TestRelatedIntegrationsVersionPerformance(unittest.TestCase): + """Compare legacy stack-dependent lookup vs stack-invariant OR range.""" + + @classmethod + def setUpClass(cls): + cls.manifests = load_integrations_manifests() + cls.packages = ["endpoint", "aws", "windows"] + cls.stacks = ["8.19.0", "9.4.0", load_current_package_version()] + cls.repeat = 7 + cls.number = 500 + + @staticmethod + def _median_ms(timings: list[float]) -> float: + return statistics.median(timings) * 1000 + + def test_benchmark_old_vs_new(self): + """Print median timings for legacy vs OR-range resolution on real manifests.""" + rows: list[tuple[str, str, float, float, float]] = [] + + for package in self.packages: + if package not in self.manifests: + self.skipTest(f"{package} not in integration manifests") + + new_timings = timeit.repeat( + lambda: find_compatible_version_range(package, self.manifests), + repeat=self.repeat, + number=self.number, + ) + new_median = self._median_ms(new_timings) + + for stack in self.stacks: + old_timings = timeit.repeat( + lambda p=package, s=stack: _benchmark_find_least_compatible_version( + p, p, s, self.manifests + ), + repeat=self.repeat, + number=self.number, + ) + old_median = self._median_ms(old_timings) + ratio = new_median / old_median if old_median else float("inf") + rows.append((package, stack, old_median, new_median, ratio)) + + print("\nrelated_integrations version resolution (median ms per call)") + print(f"{'package':<12} {'stack':<10} {'old_ms':>10} {'new_ms':>10} {'new/old':>10}") + for package, stack, old_median, new_median, ratio in rows: + print(f"{package:<12} {stack:<10} {old_median:>10.4f} {new_median:>10.4f} {ratio:>10.2f}") + + for _package, _stack, old_median, new_median, ratio in rows: + if ratio > 10: + self.fail( + f"new implementation >10x slower than legacy for {_package} @ {_stack}: " + f"old={old_median:.4f}ms new={new_median:.4f}ms ratio={ratio:.2f}" + ) From 6d8883191a42e48193b23dbcc5c67ceb6509019b Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 28 May 2026 14:36:44 -0500 Subject: [PATCH 02/15] fix(integrations): emit stack-invariant OR ranges for related_integrations Replace find_least_compatible_version with find_compatible_version_range so prebuilt rules export the same related_integrations.version across stack backports. Bump pyproject.toml patch version. Resolves #5601 --- detection_rules/etc/version.lock.json | 3743 ++++++++--------- pyproject.toml | 2 +- .../test_integrations_version_performance.py | 105 - 3 files changed, 1851 insertions(+), 1999 deletions(-) delete mode 100644 tests/test_integrations_version_performance.py diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index f6b11ecb85d..8e214315783 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -3,49 +3,49 @@ "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "f2eff7fde63919cf5ce12fc0a43b396d4f946d0b91202749bb8e1959ba503cbd", "type": "query", - "version": 417 + "version": 416 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "9fa5bb58f3f3b4c55a18dcad65a001a8a4217afcc2ced7112a1e295bcb5a79a2", "type": "eql", - "version": 322 + "version": 321 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", "sha256": "2fa22b5ffca90b0b5dda594ac010099051455bf90a1290e366e75c3f6c31f353", "type": "eql", - "version": 423 + "version": 422 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", "sha256": "dba5d16fb893bdb86a173237b75117a8e000bca4f1a47a96d9492119f8beea74", "type": "eql", - "version": 8 + "version": 7 }, "00546494-5bb0-49d6-9220-5f3b4c12f26a": { "rule_name": "Uncommon Destination Port Connection by Web Server", "sha256": "7dc587f4807bf20137a0a7d3a415b2807d481a1dd245b423be1d9addca63dff9", "type": "eql", - "version": 7 + "version": 6 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "91b36ea21ef5f2334a76a399ad91075977d7b149b9bab8bad35c854914d62420", "type": "query", - "version": 9 + "version": 8 }, "012bfca7-45cb-4507-a3ba-3777167f8b81": { "rule_name": "Google Workspace Device Registration After OAuth from Suspicious ASN", "sha256": "5020e674a38d5634ad2d4127128c09eab9c1131b1e448655eec8c5c6145427a0", "type": "eql", - "version": 2 + "version": 1 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Deprecated - M365 Security Compliance User Restricted from Sending Email", "sha256": "226cb4ca9b14010933649d9bac8285e8266edb900b2d835b38307bc6fb629385", "type": "query", - "version": 214 + "version": 213 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "Deprecated - AWS Redshift Cluster Creation", @@ -57,62 +57,62 @@ "rule_name": "Potential Network Scan Detected", "sha256": "5484efed9ed2e59b10577e3d86ecbe4dca7de9f28a241e509931c2595d8d9f4c", "type": "esql", - "version": 16 + "version": 15 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Detected - Elastic Defend", "sha256": "2b1277af9a824d07977a035ae4f6833f19e26f54f8e63a687a92d4333c198416", "type": "query", - "version": 6 + "version": 5 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "076646ab6716181a2c6a88272c23d0eff028f4d43e05b1b9ba681c8fb13bb83b", "type": "new_terms", - "version": 209 + "version": 208 }, "02137bc2-5cc2-4f7f-a8e4-c52dc239aa69": { "rule_name": "AppArmor Policy Violation Detected", "sha256": "88dba2a32e25df07ff1ec197f82476ff39ecf0522f67fee729ea5d919aaf7d62", "type": "eql", - "version": 2 + "version": 1 }, "02275e05-57a1-46ab-a443-7fb444da6b28": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities", "sha256": "539f711b818d81795aaa0685de7d462dde5553ec579eb775fdcf8f69ab9227d5", "type": "eql", - "version": 5 + "version": 4 }, "022c37cd-5a4f-422b-8227-b136b7a23180": { "rule_name": "Azure Arc Cluster Credential Access by Identity from Unusual Source", "sha256": "71236804fae2460ed5d446795ca47484be4217066c02e16e29684c83d8c4d403", "type": "new_terms", - "version": 4 + "version": 3 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "effdc73f270011dd596efce8ebf1cec1af482896d9c27adf8015357428042c50", "type": "eql", - "version": 212 + "version": 211 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "ea027afabe0d5c7840b6fa74533bd16b107d9fe59b134747165b941da38827f8", "type": "new_terms", - "version": 209 + "version": 208 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", "sha256": "c9ca8efdee1a28a5dab4c8569bdcc0b3f97a2dbf4857ba44b4691a0992a386ba", "type": "eql", - "version": 13 + "version": 12 }, "02a4576a-7480-4284-9327-548a806b5e48": { "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "6089c2d9e1a728c906a10e30c7d3eca6eb9962492dde251a805ef9e7b97f8ee6", "type": "eql", - "version": 313 + "version": 312 }, "02b4420d-eda2-4529-9e46-4a60eccb7e2d": { "min_stack_version": "9.4", @@ -128,56 +128,56 @@ "rule_name": "Spike in Group Privilege Change Events", "sha256": "d8194e445c87e8157a08b8aacf0fd3e0cafe76ef4c01be534907b1acb4c90108", "type": "machine_learning", - "version": 106 + "version": 105 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { "rule_name": "Potential Ransomware Note File Dropped via SMB", "sha256": "5888e1f7b14960dd1d20594bea541a44ae3029b63ca3ce47feb51f121784e9d4", "type": "eql", - "version": 9 + "version": 8 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "461a4ec7597b693fe5f35f593cdf375a1d5d719622fcf7de882224c58a1eb06a", + "sha256": "66859e52222069071bde2462f6cd971de312d63c6ca5da48abd9bde1d8a9986a", "type": "eql", - "version": 113 + "version": 111 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "M365 Exchange Email Safe Attachment Rule Disabled", "sha256": "a13cc41b5296170dea0f9410986cbb6e32524cd0655f9b7dd0cde9738b7fe8ae", "type": "query", - "version": 214 + "version": 213 }, "03245b25-3849-4052-ab48-72de65a82c35": { "rule_name": "GitHub Actions Unusual Bot Push to Repository", "sha256": "8299a1ebfbcff5d084b1ffd256aaa5dbf5d7929e8b0a9037bc7d83792b927b4c", "type": "new_terms", - "version": 4 + "version": 3 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", "sha256": "65e29cfdd640c3d225586aceda29585c5bc3a9e76ff34a0764f403094b8c9ade", "type": "threshold", - "version": 219 + "version": 218 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", "sha256": "6f7728c25cb5067fe5f3da92b9e429591bee6ca7b05b0dc967ed772bfc19c1d4", "type": "eql", - "version": 8 + "version": 7 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { "rule_name": "Suspicious Dynamic Linker Discovery via od", "sha256": "1955ce390a89fb19809e63ab7de3f8c5daa3aad4045bec36bcaa5b65779e457d", "type": "eql", - "version": 109 + "version": 108 }, "0398c0a2-1237-478e-84c4-84510f1925e6": { "min_stack_version": "9.3", "rule_name": "Suspicious Container Runtime CLI Execution", "sha256": "d5f015f6a331cc001e19f26c5ee3d237fb5ef1aa6b240399f308719833d3852f", "type": "eql", - "version": 2 + "version": 1 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", @@ -189,31 +189,31 @@ "rule_name": "First Time Python Accessed Sensitive Credential Files", "sha256": "aa5c2a00f56d00f3919acc63046fbd07594b643728777215c6faf15acefea5b8", "type": "new_terms", - "version": 3 + "version": 2 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", "sha256": "74510e92c414883b3395c16038036135ff8ab99e5598ed0fa19fdadd86e0b701", "type": "threshold", - "version": 9 + "version": 8 }, "03d856c2-7f74-4540-a530-e20af5e39789": { "rule_name": "Multi-Base64 Decoding Attempt from Suspicious Location", "sha256": "074027b2bad9f1ac786fc520f793d1c3f48adbf4c5dee422b7ac017e8197672a", "type": "eql", - "version": 4 + "version": 3 }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { "rule_name": "First Time AWS CloudFormation Stack Creation", "sha256": "5a13a67e1b4bf143cfe2a0d8d3447f6a60fc0715e8494ee228a0040708d817d9", "type": "new_terms", - "version": 9 + "version": 8 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Renaming of OpenSSH Binaries", "sha256": "9ee995138cffed589e949a0c429e822f01d39ee3d4e57daa0b0130de809eae76", "type": "query", - "version": 116 + "version": 115 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", @@ -235,98 +235,98 @@ "rule_name": "High Number of Protected Branch Force Pushes by User", "sha256": "eafae5474516c5620352bbf6fdc4e5746adb3cf882352bad06a19d7dbfd26020", "type": "esql", - "version": 105 + "version": 104 }, "043d80a3-c49e-43ef-9c72-1088f0c7b278": { "rule_name": "Potential Escalation via Vulnerable MSI Repair", "sha256": "e2c6fff3a05f4beae4ec1516c8b501efd3c644f9f9429d133b66003586f72649", "type": "eql", - "version": 208 + "version": 207 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Entra ID Global Administrator Role Assigned", "sha256": "9e8ad446f3a34d36c690d2af3ab183e06ef27545b244ce0b4f700d573cb8c71d", "type": "query", - "version": 109 + "version": 108 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { "rule_name": "User Added to the Admin Group", "sha256": "821c6dce76699d5db4ac9172fa84dc029f5ef229b4440a41bf7d9a375104654d", "type": "eql", - "version": 7 + "version": 6 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Suspicious Microsoft Antimalware Service Execution", "sha256": "c4b43d411a14ed5441f18c7ac996e4d2ca17ce62a46155c9b8ef8a35e8e612f9", "type": "eql", - "version": 220 + "version": 219 }, "054853f3-2ce0-41f3-a6eb-4a4867f39cdc": { "rule_name": "M365 Defender Alerts Signal", "sha256": "b4a2a0cb67bf979baded41864bc6fa10883535dc419e6b6488ba8b1c8d0fb907", "type": "query", - "version": 3 + "version": 2 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", "sha256": "af7ccb91cc20e0406d5dbf0a368623b91dbe2fe0345075123197e22162c25280", "type": "eql", - "version": 14 + "version": 13 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "489f0b6d8e4c6a6b209771bd6fe6a15862f20fa603d6b726a5b1c1446bfb9099", "type": "eql", - "version": 221 + "version": 220 }, "05a50000-9886-4695-ad33-3f990dc142e2": { "min_stack_version": "9.3", "rule_name": "System Path File Creation and Execution Detected via Defend for Containers", "sha256": "651ccae1e6baff5b1d018b9d02b49fa294970a75eddd6ad69ee73c7be6983531", "type": "eql", - "version": 3 + "version": 2 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "28db07df550ab0c72b01f5a00328a9a82b8baba0149cd6d30f2c8c1120db1690", "type": "eql", - "version": 315 + "version": 314 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "rule_name": "Tainted Kernel Module Load", "sha256": "d4df17e4c4a8b6081d4dc4c4682ee25d1ed06862635d77ea153047f150e1b1f7", "type": "query", - "version": 11 + "version": 10 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "aa3c02fb79c761a80f4964773218383ce6f2fa3d6edbb33b4228d9f58a4d7224", "type": "eql", - "version": 115 + "version": 114 }, "05f2b649-dc03-4e9a-8c4e-6762469e8249": { "rule_name": "Suspicious AWS S3 Connection via Script Interpreter", - "sha256": "669be78f871a6559df4a0c80ef44125d4cce232a4846f117ea367f27bf06a8c4", + "sha256": "bdcf91c78e9c5c094fb384d21437ea44ff202ce66a874ddeb50bbd6be3ecd14f", "type": "esql", - "version": 5 + "version": 3 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", "sha256": "287d45f63f9e0a5633a9830bc210991eedc0daf0db72f995831d011600a3b750", "type": "eql", - "version": 218 + "version": 217 }, "064a2e08-25da-11f0-b1f1-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk", "sha256": "fbb58851e7b0642dbb3d884af38bac704a32fd6065228ae2d97cc8769bf6a93f", "type": "query", - "version": 6 + "version": 5 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "rule_name": "System Time Discovery", "sha256": "3c5edef6420d3b719294df8da79f6f77b0e473d0d2f3bbd1fa89103aa8f53bcf", "type": "eql", - "version": 115 + "version": 114 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "min_stack_version": "9.4", @@ -342,97 +342,97 @@ "rule_name": "Unusual Remote File Size", "sha256": "ea21c2579a2ea6d078cc251597362fa05d6ad0a2b65fc498d6c5059636d8b638", "type": "machine_learning", - "version": 110 + "version": 109 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "61186ac011e99a690ffc2ca0232ca0d4c1a56577cd1b882fc838f4adec3b1372", "type": "eql", - "version": 216 + "version": 215 }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { "rule_name": "Dynamic Linker (ld.so) Creation", "sha256": "6350e0d9141e53b3f2c4ecc5b9384512cd89637b34bb845ffedb10e893777303", "type": "eql", - "version": 108 + "version": 107 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", "sha256": "e0fc6fce12b37afcc2729cc67ce98534a81f241684b19f9763e9f1220fd3d190", "type": "eql", - "version": 221 + "version": 220 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Prevented- Elastic Defend", "sha256": "39ab8efbaba1708840ab6193657a5a186f3a085b6224598c77a08006514293dd", "type": "query", - "version": 5 + "version": 4 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "b61bad8552dae17b256c73cb62eb7e5240586363ca2bdfae7dce74ffc35cb129", "type": "eql", - "version": 319 + "version": 318 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "5b3ad0cab15b804ec79acfddc6075930f20e13bdc9b7df71afa2bab6135aa015", "type": "eql", - "version": 211 + "version": 210 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", "sha256": "2a82445079956301b16981f1c33b9a8f5c65ffee6d2ef7b6948e62f24689a072", "type": "threshold", - "version": 10 + "version": 9 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "e5ead4056278a234ee157310599f05d05e66fe7be04c4658c711e90a8fbfdd8e", "type": "eql", - "version": 322 + "version": 321 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "cf7654ebd4c213e045aaa2ad22109e5d4d8d75c557757a8402eabe3919da5acb", "type": "query", - "version": 112 + "version": 111 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", "sha256": "e0131321585947ebb113994bcb41271b69a40753710365ea30b2a1204ad5008d", "type": "eql", - "version": 114 + "version": 113 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Service Creation and Immediate Loading", "sha256": "6e6a989495990c86ba5a6dc1a3178fbe5dc8a8e23542837ce40be022461703e9", "type": "eql", - "version": 113 + "version": 112 }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", "sha256": "df58a717def18bd6b87e4ee7c0b9b92e104cfaef8714f6029f3f4cc26a4c2f7a", "type": "esql", - "version": 12 + "version": 11 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", "sha256": "3e6315c69df778ac0ee943ef7672b9725a6c36ecdedf6c955d1609b9f0c936cc", "type": "eql", - "version": 112 + "version": 111 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "rule_name": "First Time Seen Removable Device", "sha256": "8d49ac6a7e4266309a445287ddba7de4a7c3953b54030f6bb1b22a2579d6e607", "type": "new_terms", - "version": 215 + "version": 214 }, "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": { "rule_name": "Node.js Pre or Post-Install Script Execution", "sha256": "f161b256265c51cd268982d28acc9d9220cc7c1aba15a8b036c39d9ae9253da3", "type": "eql", - "version": 5 + "version": 4 }, "08933236-b27a-49f6-b04a-a616983f04b9": { "rule_name": "Alerts From Multiple Integrations by Destination Address", @@ -444,7 +444,7 @@ "rule_name": "Windows Account or Group Discovery", "sha256": "ce8ca8f191f83b34e7b0a028117f3ed158af3ebc4c3f9d40a1614f01033cd93e", "type": "eql", - "version": 9 + "version": 8 }, "08be5599-3719-4bbd-8cbc-7e9cff556881": { "min_stack_version": "9.4", @@ -460,7 +460,7 @@ "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", "sha256": "cba194c97b4198045ac48cbff7beb5cf8aa6cd337abe8b945d0e921ea725f96c", "type": "machine_learning", - "version": 105 + "version": 104 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -472,13 +472,13 @@ "rule_name": "Attempt to Clear Logs via Journalctl", "sha256": "dc61913b2bea0be5a6013cb04da91ce28b84fce2780a58eb7bcb8c1a871ba003", "type": "eql", - "version": 3 + "version": 2 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", "sha256": "89f5838ed3a10f58fb95b54bf3a065b1edfcbccc6e82ba7249e7714ec14af877", "type": "eql", - "version": 114 + "version": 113 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Deprecated - Process Termination followed by Deletion", @@ -490,7 +490,7 @@ "rule_name": "Member Removed From GitHub Organization", "sha256": "2ffad86dda9d63530d2b961af027f8ccf552593370bec658c394b6bfbee14ed9", "type": "eql", - "version": 207 + "version": 206 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -512,25 +512,25 @@ "rule_name": "Spike in Special Logon Events", "sha256": "af7d7f8466de0579c7532f0e4cc5b23f711bc0484f6e516cc0f3962f7e510a6c", "type": "machine_learning", - "version": 105 + "version": 104 }, "098bd5cc-fd55-438f-b354-7d6cd9856a08": { "rule_name": "High Number of Closed Pull Requests by User", "sha256": "f46d127ff65faf71c8a8b0f3fb5821e6deb79ff046965cbe27aa8f63f7229354", "type": "esql", - "version": 5 + "version": 4 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "sha256": "21a80a8417bb2147dbcfad3bbd1dbac0c463712efa27f14464c0547f66e34582", "type": "eql", - "version": 12 + "version": 11 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure VNet Firewall Front Door WAF Policy Deleted", "sha256": "2d00df8fc7b00a913e0c182043c1a112d1b2690af2c81572f80ad04a284e5df0", "type": "query", - "version": 109 + "version": 108 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", @@ -542,19 +542,19 @@ "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "sha256": "6a2860edb5ebe67b8ddbfd0633c2fc64f43eb9a1a0b6cb59f298b6e207944b51", "type": "query", - "version": 10 + "version": 9 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "rule_name": "Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "62831c7e91ee7ce21ec1904ea276f67fc1771d890a541a18fba380632f6a8e04", "type": "query", - "version": 214 + "version": 213 }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", "sha256": "dbae98880bf9a0c1e97107f8d4f2e8db844623eea45f77f379c744c955ea36dc", "type": "eql", - "version": 11 + "version": 10 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "9.4", @@ -570,61 +570,61 @@ "rule_name": "Anomalous Windows Process Creation", "sha256": "4322d572dd7347e0c0b1fe18bb2c528d15656965e263d2d9209a6ccbe24facdd", "type": "machine_learning", - "version": 313 + "version": 312 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", "sha256": "02414f778b92b4c687768c61989adb3f2b632c354674ecf7c580d1e549cdba9b", "type": "query", - "version": 222 + "version": 221 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", "sha256": "09dffcc4e5124f18d47919fe93f50abaeb60d6834acf7ead306f212a6eba4afd", "type": "eql", - "version": 7 + "version": 6 }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", "sha256": "930b95c69bf6eea872d22434afefa58e36c3427fe3074d3010aa7531c87510b7", "type": "eql", - "version": 8 + "version": 7 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "rule_name": "Potential Shell via Wildcard Injection Detected", "sha256": "7d77a4998b0ebb67b07e857ede2aade5168aa1ae3854965f321bbac0e38be89f", "type": "eql", - "version": 114 + "version": 113 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "rule_name": "Attempt to Establish VScode Remote Tunnel", "sha256": "438c321a47c109bde474d6eeb1ea633ec7f60705edf876aaaa4b0a8dfec1af2b", "type": "eql", - "version": 113 + "version": 112 }, "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "rule_name": "Elastic Defend and Network Security Alerts Correlation", "sha256": "15b613d3ba0acece6a8253f34df9e3f8528ec9a65642dfb2585425a083f8b7a6", "type": "esql", - "version": 8 + "version": 7 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", "sha256": "eea37dd20530605c66b9747aec38cabb0194bce5bb2991f9b1744136a6c3cf26", "type": "eql", - "version": 6 + "version": 5 }, "0c1e8fda-4f09-451e-bc77-a192b6cbfc32": { "rule_name": "Potential Hex Payload Execution via Common Utility", "sha256": "93cd06950bf1b69b6bd8abd8923e82b0e7c578c6e93606cfcd6be0f5909f8bb7", "type": "eql", - "version": 108 + "version": 107 }, "0c3c80de-08c2-11f0-bd11-f661ea17fbcc": { "rule_name": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User", "sha256": "990caac706a81700f2a8457d690ca56ba943e899e776bb8e8d053ee4aa3d5d13", "type": "new_terms", - "version": 9 + "version": 8 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", @@ -636,13 +636,13 @@ "rule_name": "Ransomware - Detected - Elastic Defend", "sha256": "4cd274302356966cd95f09c1100bc8a7ded3746edf7901cc0a36a7d8a85120fb", "type": "query", - "version": 6 + "version": 5 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", "sha256": "156bd381d564774d81e1860d26cfc6d4a84a75a320968e06ed2b550945efaa1c", "type": "eql", - "version": 317 + "version": 316 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "rule_name": "Deprecated - Threat Intel Indicator Match", @@ -664,19 +664,19 @@ "rule_name": "High Command Line Entropy Detected for Privileged Commands", "sha256": "e1065505966fda7f392ba493ac2b31b91e6f378c082d6704f3134ac39a389494", "type": "machine_learning", - "version": 105 + "version": 104 }, "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", - "sha256": "2d520b970c95e1e70958288a6575a3b71c21e856ff41cb18b171b44506169b45", + "sha256": "b8b8dd78b8c6c7dc7963683187e44adf10d7f96d6f8fb08ea9d8a6f1015f376b", "type": "esql", - "version": 10 + "version": 8 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "M365 Exchange Mailbox High-Risk Permission Delegated", "sha256": "894f2eba51cb0eb9109b09f87d273ae20204ec8d8ff1a5d3cd366e6650808047", "type": "new_terms", - "version": 215 + "version": 214 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", @@ -686,21 +686,21 @@ }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph", - "sha256": "472e86a957fc6ecf72dde9cd5c8c0671d265c7ca592ce1fab10419723a16ecbc", + "sha256": "51e32252c859489884ccd4518fe7dae46ab0cea3f05342fccdf9a5b466fc0e2c", "type": "esql", - "version": 12 + "version": 10 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", "sha256": "dd76e3f0f0d4cc6807c6afcd4c5894467e3047dd19959748a879badf05fd647a", "type": "eql", - "version": 214 + "version": 213 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "3a48b704510ee51161efcef2c5705490f323ebcfa4d2df40ecc16fad5fff2fe8", "type": "eql", - "version": 116 + "version": 115 }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { "min_stack_version": "9.2", @@ -716,49 +716,49 @@ "rule_name": "AWS Access Token Used from Multiple Addresses", "sha256": "77f473d39331e99c4f5139d471dc7043828fe6b9f3f0cddcf60878264857b71a", "type": "esql", - "version": 209 + "version": 208 }, "0dd84246-a723-49ba-9f4e-a1e1dfa15990": { "rule_name": "Potential Privilege Escalation via unshare Followed by Root Process", "sha256": "6118b8b7dee465096a34d550a7c8f2720f92f9506cf447e07f2c3b5f821c5f26", "type": "eql", - "version": 2 + "version": 1 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", - "sha256": "abe81409b4f3930ca47eebd6a12cc582818fdd323afa0d361dd47d0e3ae9a830", + "sha256": "6319c31a290d00e0983d81b1971155caa96f3687a61721f79286857c1bbbbab0", "type": "esql", - "version": 7 + "version": 5 }, "0e42f920-047d-4568-b961-2a50db6c4713": { "rule_name": "Potential Persistence via Mandatory User Profile", "sha256": "b8d61454cd6ec06100946627852de41f7198a191f70683750b03297e6247a441", "type": "eql", - "version": 4 + "version": 3 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "15cd22677a8340711fed0f7030ff28056951bba6f1f4f4c74dacd31c27371ef5", "type": "new_terms", - "version": 209 + "version": 208 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "M365 SharePoint Malware File Detected", "sha256": "219149d921e9d74f4d05b7c228fa56ee3ae14df3a2c0373e981d498069bb89f4", "type": "query", - "version": 214 + "version": 213 }, "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { "rule_name": "M365 OneDrive/SharePoint Excessive File Downloads", "sha256": "f8d745a83d271544f83eefd939f7a08615847df7c8b31a345065cbc06db50ccd", "type": "esql", - "version": 10 + "version": 9 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", "sha256": "a7de922125422835641adbae4ac03d3876d7db4b40c6a39e3039ef79757b5c0a", "type": "query", - "version": 110 + "version": 109 }, "0e67f4f1-f683-43c0-8d45-c3293cf31e5d": { "rule_name": "Lateral Movement Alerts from a Newly Observed Source Address", @@ -770,7 +770,7 @@ "rule_name": "MsBuild Making Network Connections", "sha256": "1d2f40489c68453c001300064c4191b3c1118961bcbf8f98ef0ae3d7af2a7f6a", "type": "eql", - "version": 217 + "version": 216 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { "min_stack_version": "9.3", @@ -786,43 +786,43 @@ "rule_name": "Sensitive Audit Policy Sub-Category Disabled", "sha256": "ab3e71024a071b7fdfe5a78867ce7b97ee798a14a25a3ad4d5f93579c8d00be5", "type": "esql", - "version": 108 + "version": 107 }, "0f189343-dac7-4c1b-aca7-be8baa6bd02b": { "rule_name": "AWS EKS Control Plane Logging Disabled", "sha256": "3f3f94a9b977bf64c7ab034eb092132c770650ad6b1b602c9b5acc30f8c458da", "type": "query", - "version": 2 + "version": 1 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", "sha256": "0dd7907213fe1c2007ed13fc265447af5e1da11ec3932ac1bd234bac879ddd75", "type": "eql", - "version": 121 + "version": 120 }, "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { "rule_name": "Polkit Policy Creation", "sha256": "390e710ade2de69e142c5ee48c04471d137a80031e3679e2c9675a40dbc10e4e", "type": "eql", - "version": 108 + "version": 107 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "rule_name": "Netcat Listener Established via rlwrap", "sha256": "a0f0ae4b269a171b856191b76721c04753d2c3ed780decf03817b56e352235ee", "type": "eql", - "version": 110 + "version": 109 }, "0f5941c6-3db9-4d2f-91df-06c7c292ba45": { "rule_name": "Kubernetes Client Certificate Signing Request Created or Approved", "sha256": "6822f4f5fe5d3e698af1b1c09028b6c177c248af8515e0f1c7618e273ed73a8c", "type": "query", - "version": 2 + "version": 1 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "rule_name": "Behavior - Detected - Elastic Defend", "sha256": "d8fb41394bccffb0c9806c9a2edcf0cd1eefa2bc71a5d98d020b766f1e9e0c1c", "type": "query", - "version": 6 + "version": 5 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -834,20 +834,20 @@ "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "877b148eb16e5925faa6420c7ce4e5af877518280357765cf8b26d314d4866a4", "type": "threshold", - "version": 315 + "version": 314 }, "0fb25791-d8d4-42ab-8fc7-4954642de85f": { "rule_name": "Kubernetes Creation or Modification of Sensitive Role", - "sha256": "04c07a1e6ccab3425baf4670e28552a9c9780f4762960cf484cf3abc3bd0bb31", + "sha256": "b9c97990e6ca915c311408c981892865fdd39e7032758dd0bf98eb9c14eb5af0", "type": "esql", - "version": 5 + "version": 3 }, "0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": { "min_stack_version": "9.3", "rule_name": "Decoded Payload Piped to Interpreter Detected via Defend for Containers", "sha256": "99daa90cdf83d5fa31673dca3684a322c5b9b12882dbc2d4e82acfbc4a249401", "type": "eql", - "version": 3 + "version": 2 }, "0fe2290a-2664-4c9c-8263-b88904f12f0d": { "min_stack_version": "9.3", @@ -863,25 +863,25 @@ "rule_name": "Kubernetes Sensitive Configuration File Activity", "sha256": "bfc840c4e0154ce1c816dc7e6d4b277b6a431df45094be45f5f6c0166ac02aa4", "type": "eql", - "version": 104 + "version": 103 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "36da4f7c17d19fd33bbe592e8381c3917e11c309d47f43c7909d76b2740eb47b", "type": "eql", - "version": 111 + "version": 110 }, "1004ad5b-6900-4d28-ab5b-472f02e1fdfb": { "rule_name": "AWS SSM Inventory Reconnaissance by Rare User", "sha256": "1531a1d1f980b959ce58e42c0fb6a88915457be59be0697a2a52c266a55d4f25", "type": "new_terms", - "version": 4 + "version": 3 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", "sha256": "65b7cb64433981f1907a05a2af586fe1deaa32e3e04f391a3b8be11d65cd67ef", "type": "query", - "version": 6 + "version": 5 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", @@ -893,37 +893,37 @@ "rule_name": "WebProxy Settings Modification", "sha256": "7a9a8ca308fe9d2c8060cae7cf57cb65402bef0f911c86790a0d29b8e978c4b7", "type": "eql", - "version": 212 + "version": 211 }, "10f3d520-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Ransomware - Prevented - Elastic Defend", "sha256": "3d0922a96d70e3acfbd3d41bfb8c15881b2c0754486948513d6e29ced4a004e4", "type": "query", - "version": 6 + "version": 5 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", "sha256": "be1fc253ed58440f6af839e8e5f79978eba0a908da3adb6fa9713f774fb8a7c0", "type": "query", - "version": 111 + "version": 110 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "f9bf3e298b294a41bb1856889477dcec525ec04804459de0294f14714ad143eb", "type": "eql", - "version": 220 + "version": 219 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "1224c28727d499af370240ca8e5ed7432294872e5d5258d9eedba7a8d8b72bb1", "type": "eql", - "version": 319 + "version": 318 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", "sha256": "b78786276c865fe5602cfe809acdf9d0912624f137a0cf4049b4b5aefb497f84", "type": "query", - "version": 214 + "version": 213 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -935,19 +935,19 @@ "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "a549668ec7559114b0115b356167686dc385ac990b386fb5e9f2b612c992357d", "type": "query", - "version": 120 + "version": 119 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "e2639febbe6e8a624a43a1a5782021cc15db735aef9129b0760de784416247ab", "type": "eql", - "version": 218 + "version": 217 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "66bfe584a46f9c27ec808d78ca7f975b9ce6104c3bd2991510676d76e7e38cb5", "type": "query", - "version": 214 + "version": 213 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -969,13 +969,13 @@ "rule_name": "User Detected with Suspicious Windows Process(es)", "sha256": "f46f877d99943deae9fa5622e50247b35000bc4fa24fcdc5637f394a543ec995", "type": "machine_learning", - "version": 212 + "version": 211 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", "sha256": "1360886265d6aeb35c9b356643d02b243b43284698ffec99bd03641da8d34084", "type": "query", - "version": 5 + "version": 4 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -987,43 +987,43 @@ "rule_name": "Suspicious Lsass Process Access", "sha256": "13ea12c18b065bc285ea95a16119242a9882ef4c3103f521a1c701921ec69cd5", "type": "eql", - "version": 213 + "version": 212 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent", "sha256": "7c11440601de84729a35dfa170c057f749e1ed8943734cdad5d540f97f0900bf", "type": "new_terms", - "version": 212 + "version": 211 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", "sha256": "957cd8a8925cca175889fadff063ff73d18f178be083cbff70f868dfff58ad72", "type": "query", - "version": 211 + "version": 210 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "d32351494ff1b9ffd9ba55acf3ca09d761a8cc3d4944657b331a3e2cd0c2a611", "type": "eql", - "version": 212 + "version": 211 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "12486e435a49a8d6ae015693d43d444504c7f0ce79d8ac3f8e560b1a067e9cae", "type": "eql", - "version": 323 + "version": 322 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", "sha256": "a4cef089a97baa377ce98b7cb50c1a47a4a67b0f74e854692264582b8a57614e", "type": "eql", - "version": 417 + "version": 416 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", "sha256": "a9b1539d0e9db24ff1c2c89fbce7703a1e17089844275ce75a152f357dcffb33", "type": "eql", - "version": 108 + "version": 107 }, "138520d2-11ff-4288-a80e-a45b36dca4b1": { "min_stack_version": "9.4", @@ -1039,7 +1039,7 @@ "rule_name": "Spike in Group Membership Events", "sha256": "6833917467dfd8d34a81995993907c41c52722e7afecb30ec5fec5641477c8f2", "type": "machine_learning", - "version": 105 + "version": 104 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "9.4", @@ -1055,13 +1055,13 @@ "rule_name": "Rare User Logon", "sha256": "e7b1144434301dcf8d3c853460221fd971055d06b21eae12d6434b5e898d91e3", "type": "machine_learning", - "version": 208 + "version": 207 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - Note Files by System", - "sha256": "a9f85172bac9830301829a91b05587e31bd7f5ab365927804ae2705b2f5ef2de", + "sha256": "a4773853ce1ea436c93f739ecc375ebc074829200e0ed449ee0e3bec0becb585", "type": "esql", - "version": 217 + "version": 215 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -1073,85 +1073,85 @@ "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", "sha256": "526f288219500704dab7160a26e0af9e6dbb812dcf0e2b12895e0f2412792343", "type": "eql", - "version": 14 + "version": 13 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Entra ID External Guest User Invited", "sha256": "3cc4581f69c27422b3f2353597665249059ba22ef323c49c2b97218a803eaac9", "type": "query", - "version": 110 + "version": 109 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "0ad5c2e271c9001326aa27dfc63f6c35a4138bc03e6a1e4db48aaeac803e30f6", "type": "query", - "version": 112 + "version": 111 }, "14dab405-5dd9-450c-8106-72951af2391f": { "rule_name": "Office Test Registry Persistence", "sha256": "6ae151273f3904946010828516f37ea7cb7152e34ac5eebb85174cd704f59d78", "type": "eql", - "version": 110 + "version": 109 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", "sha256": "b84822387863316ee7e038ffc13bbf210e9d66bdd21bc0c4cbc1806a7a261d09", "type": "eql", - "version": 212 + "version": 211 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "5fb9943cdf453b43370e6f92b8be06a5dfe213e2bcd3566aa2e2bd08e9d21e7b", "type": "eql", - "version": 318 + "version": 317 }, "14fa0285-fe78-4843-ac8e-f4b481f49da9": { "rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application", "sha256": "1d5cd26347a6790ae2294701743b179765b2d5f29842f30b7564687d387f8cc7", "type": "query", - "version": 9 + "version": 8 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "da0623d8382c2550dc8e2605907d304a97ce85101085e93eaae2be757ed6242f", "type": "new_terms", - "version": 210 + "version": 209 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", "sha256": "1e38ba5abce5df6e94d4f7ff4ef607302c6726044195ba8953854867fec17b60", "type": "eql", - "version": 9 + "version": 8 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", "sha256": "4f8dae1671164a15e104cf7087d42d6a879f2c0809501137ee183c0f3f3ee364", "type": "eql", - "version": 8 + "version": 7 }, "15606250-449d-46a8-aaff-4043e42aefb9": { "rule_name": "Suspicious StartupItem Plist Creation", "sha256": "f63835bd6dbd1ae1525c1f9d9b34983545dcb86f455e65e49d50b96726bcd6c8", "type": "eql", - "version": 2 + "version": 1 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "7c14ff284718226ea6475885fa3d285019ef181a69705bed2afb9f25ce81b4fc", "type": "eql", - "version": 217 + "version": 216 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "62c79ce5bae7cf736a51c50a7e07508e4a50999a807161a4e0c68835b2a29780", "type": "eql", - "version": 321 + "version": 320 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", "sha256": "11df8567d6795588d2f0b1c35dd8ca813fcf809258461c5483790a459bdc1cc9", "type": "eql", - "version": 114 + "version": 113 }, "1600f9e2-5be6-4742-8593-1ba50cd94069": { "min_stack_version": "9.3", @@ -1167,7 +1167,7 @@ "rule_name": "Kubectl Permission Discovery", "sha256": "88b8163bdbf4231ba333b88a4662e21abc05924a08f51847cda7ed108328e09c", "type": "eql", - "version": 107 + "version": 106 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "min_stack_version": "9.3", @@ -1183,67 +1183,67 @@ "rule_name": "Potential release_agent Container Escape Detected via Defend for Containers", "sha256": "83cc6f40e6132026e20c447cd04f8cba5947105f81fe35a20b393a650d0ca896", "type": "eql", - "version": 105 + "version": 104 }, "1615230f-beb7-48d8-9b3f-6d10674703bf": { "rule_name": "Suspicious SIP Check by macOS Application", "sha256": "fa8c6092c9b9b8566ea7901262f4a9a3660b455e07ecb434fb833cdee30197d6", "type": "eql", - "version": 3 + "version": 2 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "090781ceb0f70e5c6d5854c34e2def7e8983a8c0fc34e614674ef24f4a9c74d9", "type": "query", - "version": 109 + "version": 108 }, "163a8f2f-c8a0-4b7e-9c4a-1184310eb7f3": { "rule_name": "Potential CVE-2025-32463 Nsswitch File Creation", "sha256": "811b20416cead7025ab23de710ac19ed81924cc270507221b356a395d5fd4940", "type": "eql", - "version": 4 + "version": 3 }, "166727ab-6768-4e26-b80c-948b228ffc06": { "rule_name": "Potential Timestomp in Executable Files", "sha256": "d412a6320c3b63e9d14e2897865c8df7a907154312cbc26891375687109ccfa0", "type": "eql", - "version": 112 + "version": 111 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", "sha256": "d044c2e031f6739d53c3387ad4e0c7f4e1617a0fad10f442fa29118f43b2a0e0", "type": "eql", - "version": 113 + "version": 112 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", "sha256": "a18672298cd92d568cb52d61601a039e39aa68213d8dc698fcdfa49d06280434", "type": "query", - "version": 213 + "version": 212 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", "sha256": "d4267bbb2896541227ff0042bb5fd07bf0d5d673472429d931cda1a80f41b666", "type": "eql", - "version": 121 + "version": 120 }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", - "sha256": "d6e67ba8f5d522fdaf54905ce6676e2bf94e5b7fd3b04aa26f92e5975ffa52e5", + "sha256": "6b1835065de149596f5514acac7116d616ab69afd1ff4bd6c3187a13fe27493f", "type": "esql", - "version": 10 + "version": 8 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "e9d66fb58444a717fbb2b15ebf5f7ed7e2d888737fdf681a8537349fb9d7f291", "type": "eql", - "version": 217 + "version": 216 }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", "sha256": "96017fdffa7b8eafbd4630fac4ec0b8079bee2375bcd6ab550558ff48cf9bf1f", "type": "eql", - "version": 8 + "version": 7 }, "171a4981-9c1a-4a03-9028-21cff4b27b38": { "rule_name": "Suspected Lateral Movement from Compromised Host", @@ -1253,9 +1253,9 @@ }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", - "sha256": "5b8d5a1b99c6b3e9b8f23db751a98aa42d12ea85d9927aac93c2ed685d2b6655", + "sha256": "2eeb4a2916c11aeca4185ded593f86975317296adad1f32d19f4d5f39f380f53", "type": "esql", - "version": 9 + "version": 7 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "9.4", @@ -1271,7 +1271,7 @@ "rule_name": "Unusual Windows Username", "sha256": "439a53c97f890e9069f64ade7995b100cf7c08ab3c4305b076c384db5cf6477d", "type": "machine_learning", - "version": 311 + "version": 310 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "9.4", @@ -1287,7 +1287,7 @@ "rule_name": "Unusual Windows Service", "sha256": "0eea7398ab7fbbc674a804b6fc2fb7f331e747e7c1a28927089d51e5254a48de", "type": "machine_learning", - "version": 311 + "version": 310 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "9.4", @@ -1303,7 +1303,7 @@ "rule_name": "Suspicious Powershell Script", "sha256": "815e86bb07efd5d73767e45677054f24f0b072412b4ba7210f195289eb9e9832", "type": "machine_learning", - "version": 312 + "version": 311 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "9.4", @@ -1319,7 +1319,7 @@ "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "ac8baea0b2fd71b85c09a46482ad8e3c79f0334488c25ee2018c79f274231c4c", "type": "machine_learning", - "version": 311 + "version": 310 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "9.4", @@ -1335,7 +1335,7 @@ "rule_name": "Unusual Windows Remote User", "sha256": "c2541cadb2d1d9936e120b6daad7cae971b5d2ba79deb01bc3a044a885695f5b", "type": "machine_learning", - "version": 311 + "version": 310 }, "178770e0-5c20-4246-b430-e216a2888b23": { "min_stack_version": "9.4", @@ -1351,25 +1351,25 @@ "rule_name": "Spike in User Lifecycle Management Change Events", "sha256": "78e9dfe6280543b50244e70ade9ca9266f8f77531dcb55cdc872a95de1c944ae", "type": "machine_learning", - "version": 106 + "version": 105 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", "sha256": "4c1feb2d691a715844f24edbb5207bc35a4fdeee0d7314d708aeaba89adbbf0d", "type": "eql", - "version": 21 + "version": 20 }, "17b3fcd1-90fb-4f5d-858c-dc1d998fa368": { "rule_name": "Initramfs Extraction via CPIO", "sha256": "87ea53b4b70ebf750914ab208825d5c3c7161366d9b24c6267fb095279b01da7", "type": "eql", - "version": 7 + "version": 6 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "11eedb38f0535b593e7587c7ae9c0c9b1f11713712345cb14aa032c4251e687b", "type": "eql", - "version": 219 + "version": 218 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "9.4", @@ -1385,25 +1385,25 @@ "rule_name": "Unusual Network Destination Domain Name", "sha256": "65a861fcdfcd0c2366b569e4e3c8e7a599512fa2331ece1fb23f58ed93ff1b85", "type": "machine_learning", - "version": 210 + "version": 209 }, "181f6b23-3799-445e-9589-0018328a9e46": { "rule_name": "Script Execution via Microsoft HTML Application", "sha256": "f5b07367a229e2cc48754deee2bffbec577230719548e1c91cb73bd36b064536", "type": "eql", - "version": 211 + "version": 210 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", "sha256": "b5bfa9c5bdbb2ac76c679d8e7c12aa4614561e8f0815a77d48fccf5feedd3a89", "type": "eql", - "version": 8 + "version": 7 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", "sha256": "acbdc60b1dddabc74eeaf2f73f1a26c51ced274c1226442b720a366f7bf37d2e", "type": "query", - "version": 110 + "version": 109 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -1415,7 +1415,7 @@ "rule_name": "AWS Secrets Manager Rapid Secrets Retrieval", "sha256": "800ebd4d1ef253c688e649cd84fca4d2da5b8896f3537ecaa252855132cd0cc6", "type": "threshold", - "version": 9 + "version": 8 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "min_stack_version": "9.4", @@ -1431,43 +1431,43 @@ "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "12ba54701c9c9a48fe730d815cf85aa3e3e17eb721b01045f3015cf5f197813b", "type": "machine_learning", - "version": 110 + "version": 109 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", "sha256": "718358b1e1c35b97028b4230acd16b8d1f36c355982f8acbeef3d773809c1f86", "type": "eql", - "version": 13 + "version": 12 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", "sha256": "6e73ca10f3e881fa538c71a4fa49fa6d7dd2022afd6c94c19a3c9c2bc3a24e01", "type": "eql", - "version": 11 + "version": 10 }, "1955e925-6679-4535-9c1b-28ebf369f35f": { "rule_name": "Suspicious File Creation via Pkg Install Script", "sha256": "bf39e06d8e8bcb3450813ab5d58f0a03c28e5cf9893bdc6abcfef843e67f134b", "type": "eql", - "version": 3 + "version": 2 }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", "sha256": "2e671c13c33cb02522db10a2ec30e4b58a107647589f9ff89a5f1b1259a43cb2", "type": "new_terms", - "version": 7 + "version": 6 }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests", - "sha256": "6424aa369601d574151cb5a03827f6b7d7ea6d5cda6f6daec0ce91e4cc068499", + "sha256": "34009951e545cd9d705e6cac58d2af9dba570cc5dcec0e69c192d165f28be6d3", "type": "esql", - "version": 11 + "version": 10 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", "sha256": "b836fac20b0940bfc3175c371b5a9a9693cc738c58e02cce56b41be1d943bddb", "type": "machine_learning", - "version": 213 + "version": 212 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "min_stack_version": "9.4", @@ -1483,19 +1483,19 @@ "rule_name": "Spike in Number of Processes in an RDP Session", "sha256": "fe983ed864521ad6cf3fe4e5be5ab60aef58b86a53412d26c0425b6eb0d442b4", "type": "machine_learning", - "version": 110 + "version": 109 }, "19f3674c-f4a1-43bb-a89c-e4c6212275e0": { "rule_name": "GitHub Exfiltration via High Number of Repository Clones by User", "sha256": "d44f81cce81f9989e3da9c9690ce5f15e1d0f708db04fecc4fc46560c28e35ba", "type": "esql", - "version": 5 + "version": 4 }, "1a1046f4-9257-11f0-9a42-f661ea17fbce": { "rule_name": "Azure RBAC Built-In Administrator Roles Assigned", "sha256": "096328c92f192c547fa70269c2a8869a2b41ea46972ff0b85f91c484b81defcc", "type": "query", - "version": 4 + "version": 3 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "9.3", @@ -1511,13 +1511,13 @@ "rule_name": "Suspicious Network Tool Launch Detected via Defend for Containers", "sha256": "52c8bf4b88a390a02c576926ab93066b84724ffbf8a8f2adfc8bfa9edf30f233", "type": "eql", - "version": 106 + "version": 105 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Entra ID Application Credential Modified", "sha256": "d9a189bab2df94b4b6cd30d792e7891b84d4684c3d1f1b94e30aeb8769e60c62", "type": "query", - "version": 110 + "version": 109 }, "1a3d5b36-b995-4ace-9b85-8a0af429ccf6": { "rule_name": "Newly Observed High Severity Detection Alert", @@ -1529,61 +1529,61 @@ "rule_name": "Potential System Tampering via File Modification", "sha256": "40e16656b62a8f8b4a050a24a81a5222c3b71244c7e747902e7899933102755a", "type": "eql", - "version": 6 + "version": 5 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", "sha256": "7aff4b19617d22e58a7bba7919b719dbbec4df85308564a1cd3fee9363798ae2", "type": "eql", - "version": 321 + "version": 320 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", "sha256": "a3d4e1675ec84b3af9163b6a3759711bce84c07ff080a118e7208d181665df7c", "type": "query", - "version": 216 + "version": 215 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", "sha256": "12119420da1871b99202f57ec10904ffc1deee90adab67e4719a1a7207bbc500", "type": "eql", - "version": 318 + "version": 317 }, "1ac027c2-8c60-4715-af73-927b9c219e20": { "rule_name": "Windows Server Update Service Spawning Suspicious Processes", "sha256": "68657a78537ab31a02e6e7bdf3c1c16c01ab15359ecf055b790816e887efceca", "type": "eql", - "version": 5 + "version": 4 }, "1aefed68-eecd-47cc-9044-4a394b60061d": { "rule_name": "React2Shell Network Security Alert", "sha256": "0bb3f9c7167e6586c90cc2a0d5c56d1239b7e0eccdfbdb6d4fb9e18757d982fe", "type": "query", - "version": 3 + "version": 2 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", "sha256": "2f7562c182467d14f7652d3abb6608ddb866a662c35c85f285c8fd5b91f6f892", "type": "eql", - "version": 8 + "version": 7 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", "sha256": "a0a40875e83b365491356586b13f47638211dbab5eb725cd74e481088f4abf31", "type": "eql", - "version": 213 + "version": 212 }, "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": { "rule_name": "Remote Management Access Launch After MSI Install", "sha256": "54c52e1583a70f0e58886c3834476d8a301420a103cebf085744e0b227eabe61", "type": "eql", - "version": 5 + "version": 4 }, "1b65429e-bd92-44c0-aff8-e8065869d860": { "rule_name": "BPF Program Tampering via bpftool", "sha256": "81a039d10521f44f4281d8544ffd0b16a9b3063f8ee87612d04ff43a2da6151a", "type": "eql", - "version": 3 + "version": 2 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted", @@ -1601,25 +1601,25 @@ "rule_name": "Potential Internal Linux SSH Brute Force Detected", "sha256": "03f4a222aafafea3d3221e0582ccac9b11bbc82101504c84c7694b8ef873cda9", "type": "eql", - "version": 17 + "version": 16 }, "1c28becc-ec0b-4e6d-81a5-899d00348089": { "rule_name": "Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket", "sha256": "b9af69ebbbeff32bb2101e0acdf8c98dc60ca99cddc9b2ecbb16b47c394956d6", "type": "eql", - "version": 2 + "version": 1 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "rule_name": "Potential Process Injection from Malicious Document", "sha256": "ce6e5c0d567af464050071029e7ca367ab9b070855f566cda0626a678b8c95ef", "type": "eql", - "version": 5 + "version": 4 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Entra ID Illicit Consent Grant via Registered Application", "sha256": "fb04e2d9695cf1eb8eef84bae6c748979d9703934f64e06743e28b55e5168f56", "type": "esql", - "version": 221 + "version": 220 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", @@ -1631,86 +1631,86 @@ "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created", "sha256": "872670a07996ff3b1b618f205a314336501baae58b58b0b9eb4df5a182cbe3aa", "type": "query", - "version": 110 + "version": 109 }, "1ca62f14-4787-4913-b7af-df11745a49da": { "rule_name": "New GitHub App Installed", "sha256": "98cd8a087a11aa53e292618c8047442532a33dc329c2c7c7e264ad92008f574b", "type": "eql", - "version": 210 + "version": 209 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "2d10043a1aa6786aef98747241a102b2e31aae347ae8a451f5e468c9d52f7e35", "type": "eql", - "version": 215 + "version": 214 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "b205ced242cd1aea02d4b083ded2c9a8d7e55a6d6b9c2a0e4a62f113c2d1d709", "type": "new_terms", - "version": 214 + "version": 213 }, "1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": { "rule_name": "Entra ID Domain Federation Configuration Change", "sha256": "ad37538a2c191bb69fef32ecee94047d48237b5f045c30faa5d3cbba14fe1aec", "type": "query", - "version": 4 + "version": 3 }, "1d0027d4-6717-4a37-bad8-531d8e9fe53f": { "rule_name": "Potential Hex Payload Execution via Command-Line", "sha256": "73886707ccad198484d4c6cdde082d9ef78aea65c349fa08ea0430836e23f673", "type": "eql", - "version": 6 + "version": 5 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", "sha256": "e9575c364fc387c6707b5d37b4870192b76de5fab2e194b70bc4691ef96b498f", "type": "eql", - "version": 217 + "version": 216 }, "1d306bf0-7bcf-4acd-83fd-042f5711acc9": { "rule_name": "Initial Access via File Upload Followed by GET Request", "sha256": "2b398592c31c97af1985d6702aea4c8065619b220445521d5b75a1a48b3c1a47", "type": "eql", - "version": 4 + "version": 3 }, "1d485649-c486-4f1d-a99c-8d64795795ad": { "rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt", "sha256": "2756232f98fabdff059cfa55dc552f04e2c8c7042455b61eade3819dde3b4b3d", "type": "eql", - "version": 4 + "version": 3 }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", "sha256": "92e8e6bf07d93b94bbeb7d1af6d2bd2f62f69c4dd3bedc34becebc0961db80c8", "type": "query", - "version": 10 + "version": 9 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "8d05c32f44d67de63080ae2a1b59170a1394351c67170174791519ff480c2348", "type": "eql", - "version": 111 + "version": 110 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "398b3d88b1753b2d476720085736b2bdfe86fb195e47981a3e582f66397ced53", "type": "query", - "version": 115 + "version": 114 }, "1dc56174-5d02-4ca4-af92-e391f096fb21": { "min_stack_version": "9.3", "rule_name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers", "sha256": "de7edeb410f5b8a1e8dbb092cbe4d087a133a7ba1c66545920a487874a383294", "type": "eql", - "version": 3 + "version": 2 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "280c95cf73f0b4d05908dee4ef63654696f4b55a5040e86f1f69d1455aab9cd4", "type": "eql", - "version": 319 + "version": 318 }, "1dd99dbf-b98d-4956-876b-f13bc0ce017f": { "rule_name": "Alerts From Multiple Integrations by User Name", @@ -1722,7 +1722,7 @@ "rule_name": "Suspicious Inter-Process Communication via Outlook", "sha256": "bdf02d8405b38f96f1a6314cda5e1200914160197006090f7af12146810ca2cb", "type": "eql", - "version": 13 + "version": 12 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader", @@ -1734,37 +1734,37 @@ "rule_name": "Potential Linux Hack Tool Launched", "sha256": "d77702d18de0a8d0365973764069a898ec115292a1894c24062e7aed54979fd4", "type": "eql", - "version": 110 + "version": 109 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "rule_name": "Deprecated - PowerShell Script with Discovery Capabilities", "sha256": "ad1bd87d23f66d5a3239115816acbcf857fffb8361fd598d3abda318487378fa", "type": "query", - "version": 216 + "version": 215 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", "sha256": "a36ca67a74f87b67b969d3970684fafaf17f731179188925f02cc6e2db6c3dd7", "type": "query", - "version": 108 + "version": 107 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "rule_name": "Creation of a DNS-Named Record", "sha256": "f122d418e9dafbe14b2ca383cd8a6184aaa9aaaca6d46160e742e081b941bc9b", "type": "eql", - "version": 110 + "version": 109 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "rule_name": "Creation of SettingContent-ms Files", "sha256": "2f32979d0c4c70576ae719941f88e9b734de6ca0b68d8cbca27176d73ca4769d", "type": "eql", - "version": 110 + "version": 109 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "b6df387d7eea51849c454c9111255872e0f17716467e7f7dcb96324b0a100070", "type": "new_terms", - "version": 209 + "version": 208 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "min_stack_version": "9.4", @@ -1780,7 +1780,7 @@ "rule_name": "Unusual Sudo Activity", "sha256": "c191e024e62f5ec95b39f7a502aecbea41301bd8a555cbe351ce2d88a3dc354d", "type": "machine_learning", - "version": 208 + "version": 207 }, "1eb74889-18c5-4f78-8010-d8aceb7a9ef4": { "min_stack_version": "9.4", @@ -1796,43 +1796,37 @@ "rule_name": "Spike in Azure Activity Logs Failed Messages", "sha256": "b55cf9442601c13334ddbdf9f1c6553c1ee36c6be64b33cc9c2d312f36a43c55", "type": "machine_learning", - "version": 102 + "version": 101 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "5f229ee4fa489867da43771533ebd54f07045dbf3c671e4edec7850f6e2ff04d", "type": "query", - "version": 119 + "version": 118 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "rule_name": "AWS Sign-In Console Login with Federated User", "sha256": "55d45ab5f5631b527067817a7d2c2d4fd25f4b7740b19d7ed6684b84c9d198b6", "type": "query", - "version": 8 + "version": 7 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "6ef4ba72caea4308333e21e9748b0103bd5465ca8e8de00cb44982b38ddc73a8", "type": "eql", - "version": 109 - }, - "1f489c86-d9c4-40de-9316-931721ca9b45": { - "rule_name": "Google Workspace User Login with Unusual ASN", - "sha256": "36d9ddf894c154d8b06736a4546c607e5e6506501cef0fa285bd4715adf0e2d6", - "type": "new_terms", - "version": 1 + "version": 108 }, "1f56f548-94ec-4678-b1ed-b1a14cca4e3a": { "rule_name": "File Creation in World-Writable Directory by Unusual Process", "sha256": "4df9615b0c5bc14b8ab9c22dfd3b551e165497764f49c76f47131b8c18126ad8", "type": "new_terms", - "version": 3 + "version": 2 }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { "rule_name": "High Number of Egress Network Connections from Unusual Executable", - "sha256": "eafeb83b8040dee8fe09ca03a41822ab04b2e697435ea84a3ccaceb964e96175", + "sha256": "b7c5e8e2683c1a9405ab334ea64b6abd11051146461d97a00a006a8a114ac5e3", "type": "esql", - "version": 14 + "version": 12 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "9.4", @@ -1848,13 +1842,13 @@ "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "1a0a985a78e282cb73680c64ef0fd7dd1b06b6888ac9aa29908324720ffd8a52", "type": "machine_learning", - "version": 208 + "version": 207 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "ce63eff5ee6329ed0d754e18e681e094db4edd4554e6c5857c4a7e4eec55a7f3", "type": "eql", - "version": 221 + "version": 220 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", @@ -1866,43 +1860,43 @@ "rule_name": "Suspicious .NET Code Compilation", "sha256": "718eb4049a2a7d326275953bcb81b6108f6af2f80cf5681605b01c2156773965", "type": "eql", - "version": 320 + "version": 319 }, "202829f6-0271-4e88-b882-11a655c590d4": { "rule_name": "Executable Masquerading as Kernel Process", "sha256": "b71bdcfb747a7c25b0a7ecef37b73f89cfd4936ff7b67f399a7d47694f1c4992", "type": "eql", - "version": 110 + "version": 109 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", "sha256": "da1e0288bfbf5cf9a5a637c2ff71e7b786124de06dafdd88afc745cf802cfbec", "type": "eql", - "version": 318 + "version": 317 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "00192d120763a8e01464c5ce0165c7c8c09fd5dc69b8913668ae9889fe86e6ce", "type": "query", - "version": 213 + "version": 212 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Suspicious Web Browser Sensitive File Access", "sha256": "e46abdd536b397307dd73b4a20f4296b0141a10a86a9c252ecc461420fea502d", "type": "eql", - "version": 215 + "version": 214 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "acfa894d6162e141d87059ad8f6bf9ab526faf4bb7d294c1c9559d4a696d8c5a", "type": "eql", - "version": 210 + "version": 209 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", "sha256": "71c7f2709ba57af9d034b02dfddd8ffad88a6ce54561ccb2e9a6249e403f045f", "type": "new_terms", - "version": 219 + "version": 218 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -1914,74 +1908,74 @@ "rule_name": "Mofcomp Activity", "sha256": "c0049f673475e17a60c9243c445c9cc0740541dd02cedb0ad8ad2af6aa0ec463", "type": "eql", - "version": 12 + "version": 11 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "AWS SNS Topic Message Publish by Rare User", "sha256": "3e08ddf0b5b1afd3391ad3417aeab29ba5b82004dfea27700df13240aa6f2c1e", "type": "new_terms", - "version": 7 + "version": 6 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", "sha256": "ffbef35f2979f9b0815d176123110cf20185f13031b14a773f5d555d5a5f67ef", "type": "eql", - "version": 10 + "version": 9 }, "214d4e03-90b0-4813-9ab6-672b47158590": { "rule_name": "New GitHub Personal Access Token (PAT) Added", "sha256": "59d60ae7f69e0ad09fed8b4f0d81aa233cb1aa5f95a2c4dbc67893e48c9c6a68", "type": "eql", - "version": 4 + "version": 3 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "sha256": "8b75d9e37c1f4a0c2bf887e72a428e276adafb073c14a72aa32d6df0f17e18d9", "type": "new_terms", - "version": 12 + "version": 11 }, "21c3536f-b674-43db-9bfc-dcf4cf9dcc37": { "rule_name": "GitHub Secret Scanning Disabled", "sha256": "aff570e0cf948f93e3441a9f2e00aef71fc0bf2aa0b96863c7c05b6589ebb7d6", "type": "eql", - "version": 3 + "version": 2 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "2e948782f65666ac3d10796a6baf18110e533c7911ec87b4302958666ded5115", "type": "eql", - "version": 114 + "version": 113 }, "220d92c6-479d-4a49-9cc0-3a29756dad0c": { "rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy", "sha256": "b8ea3be7fe37d1a71bbceeadb9717e70b488e7256446ad679f347b464e34524c", "type": "esql", - "version": 3 + "version": 2 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Activity", "sha256": "09ce90780ee8c5b0abb47761859ddd4909e777651474a0de5937379b4fe1de9d", "type": "new_terms", - "version": 211 + "version": 210 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "Deprecated - SUNBURST Command and Control Activity", "sha256": "e436ded1c2bcdb723f2a841740b8072959feceb4095c0086697c55e444763575", "type": "eql", - "version": 113 + "version": 112 }, "227cf26a-88d1-4bcb-bf4c-925e5875abcf": { "min_stack_version": "9.3", "rule_name": "Encoded Payload Detected via Defend for Containers", "sha256": "c22125aa8d5fbba0e2e7ab1379a82385d8164c305089fc053ca1bf31ed58b2e0", "type": "eql", - "version": 4 + "version": 3 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "94bf56921f7182099d52dfb0db8b4469fc67827685348c0e306268756187ba80", "type": "query", - "version": 215 + "version": 214 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", @@ -1993,13 +1987,13 @@ "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "86d21d741eff46da2d15b7f31b033ed32ecda99a9f660857b2f751ee059c149f", "type": "query", - "version": 110 + "version": 109 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "rule_name": "Kernel Module Load via Built-in Utility", "sha256": "a06f1985bb2ac22749c86a7b54bbc101a924941d49abfa208f890b470ad6323d", "type": "eql", - "version": 217 + "version": 216 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -2021,43 +2015,43 @@ "rule_name": "Potential Kubectl Masquerading via Unexpected Process", "sha256": "6e24466e654e56308b329e2e506d4a36f3cb93890c9cc863c6f54618cdb177da", "type": "eql", - "version": 105 + "version": 104 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", "sha256": "082bad18b8416bb5ccd1d0cfce8b0e590878f8eda05813006131e35463194383", "type": "new_terms", - "version": 9 + "version": 8 }, "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf": { "rule_name": "Potential SAP NetWeaver Exploitation", "sha256": "9592413691f94b0e392e5b6b6d96b45087aef7dcc204902cbee6f54c88ca0e31", "type": "eql", - "version": 3 + "version": 2 }, "23cd4ba2-344e-41bf-bcda-655bea43fdbc": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "bad7dfbcf30e7a80ff8bf2b11b59f66510afc25bcebc9113d7ba02700a792c86", "type": "eql", - "version": 5 + "version": 4 }, "23e5407a-b696-4433-9297-087645f2726c": { "rule_name": "Potential NTLM Relay Attack against a Computer Account", "sha256": "f0d7a8f00c28cdc603cdf2f3a222453dc87d3c585871a04289e06d7d65e12363", "type": "eql", - "version": 3 + "version": 2 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "rule_name": "Potential Okta Brute Force (Device Token Rotation)", "sha256": "1dca7f7a9f133b30aeaaf0bcefe7bfa30c7c6d26fa4a0ac58e4bf6ab5ca714f6", "type": "esql", - "version": 213 + "version": 212 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", "sha256": "33174dde2dcb90f51dc8b556bf7b9e4042559084fa221d4dc8f0b0d6bda99a8d", "type": "eql", - "version": 212 + "version": 211 }, "2449be9d-2fdf-4126-a85b-f05e4058df9f": { "rule_name": "Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)", @@ -2069,32 +2063,32 @@ "rule_name": "Lateral Movement via Startup Folder", "sha256": "0ea2de447f9849a74fe836db1209085c0b5799003f2cae237af3197ac11c27e4", "type": "eql", - "version": 316 + "version": 315 }, "25368123-b7b8-4344-9fd4-df28051b4c6e": { "rule_name": "First Time Python Created a LaunchAgent or LaunchDaemon", "sha256": "fe6a9526f2f3cde09ceb6ad2abb75b5c041b596c4c3efb072057e5d8d206557b", "type": "new_terms", - "version": 4 + "version": 3 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "0199eb265ce99c7a9f188d9ffa0b0d930dc5da0e8125dce7773e6f4c681d9ad0", "type": "query", - "version": 111 + "version": 110 }, "2572f7e0-7647-4c68-a42b-d3b1973deaae": { "min_stack_version": "9.3", "rule_name": "Potential Kubeletctl Execution Detected via Defend for Containers", "sha256": "acc31532978654732c3792974aca8d114b5fcbc3b1a2bb12c476fbb78d110c67", "type": "eql", - "version": 4 + "version": 3 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "rule_name": "Potential Reverse Shell via Background Process", "sha256": "d6a2ecf476cd2454fdbff39ec56abf5546147359689e2d4c4d2b1b13eec7d813", "type": "eql", - "version": 111 + "version": 110 }, "25a4207c-5c05-4680-904c-6e3411b275fa": { "rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree", @@ -2106,110 +2100,110 @@ "rule_name": "Network Activity Detected via Kworker", "sha256": "6f4eff66f0c65aba4c175641ec53bd362c571ddcc98a36f91f1357b1e7f21817", "type": "new_terms", - "version": 11 + "version": 10 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", "sha256": "a4325d7530e0e1c4d8606448e0fda6086c035e0c00e8a6941f16716a7b0c4be9", "type": "query", - "version": 8 + "version": 7 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "rule_name": "New Okta Authentication Behavior Detected", "sha256": "b4310f1d499651a51101aa441f2d2dbfa9526781e8c3572a6f390ee7b104c96e", "type": "query", - "version": 212 + "version": 211 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", "sha256": "847b0b60963ff676ec04a3851fcf67da0046389d6b3d572ab197169471c02e4c", "type": "eql", - "version": 12 + "version": 11 }, "263481c8-1e9b-492e-912d-d1760707f810": { "rule_name": "Potential Computer Account NTLM Relay Activity", "sha256": "c6466b3359e6b53e8f7baa6dc0c0a8268893292d2e8c70cf97aaf503f935e4f2", "type": "eql", - "version": 111 + "version": 110 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Storage Container Access Level Modified", "sha256": "17ad4439d8cff6eb09caa234542cd8b06c1f9431660b61500250cfac88379a95", "type": "query", - "version": 109 + "version": 108 }, "264c641e-c202-11ef-993e-f661ea17fbce": { "rule_name": "AWS EC2 Deprecated AMI Discovery", "sha256": "8e6edb115aadbbe0288142ede56a886b171f90f427e56805c3b403b92787d9b0", "type": "query", - "version": 9 + "version": 8 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "f6c4dc44ea09e4d0007ef1b75b2883cdc9f543888b98fd1e58d6ab7ec7e90a34", "type": "eql", - "version": 320 + "version": 319 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "rule_name": "Unusual High Denied Topic Blocks Detected", - "sha256": "2d8380692f5a4979d5ce42e2f909839300184905903c947860d8bd68208fd2a0", + "sha256": "eb93685370370e45763a4c643fb482b438ac57fbe5bb1cae4f02da532dec3ddc", "type": "esql", - "version": 7 + "version": 5 }, "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", "sha256": "fa8068ba6208f9c013cda667f737b51fae6f5b52b978165e1b76c35f0acd0ee1", "type": "new_terms", - "version": 7 + "version": 6 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", "sha256": "8c951a0906470270b43bc3293a9d807368a4febdfe1c96dcf7585c87d42f40b0", "type": "eql", - "version": 107 + "version": 106 }, "26a989d2-010e-4dae-b46b-689d03cc22b3": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request Detected via Defend for Containers", "sha256": "83c6cdeb9a06541ccba897ff5fded24c63515255d7a617a83ba2b1150425e39a", "type": "eql", - "version": 3 + "version": 2 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", "sha256": "2a8b22e7d63527d904ab15bd93ab301fbe45ba09b99e427ca34ebe89d9d1d15c", "type": "eql", - "version": 13 + "version": 12 }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Entra ID High Risk User Sign-in Heuristic", "sha256": "f2967ce4210d92868dcbb7f81ec19ec93006bdf594453cbf93086d8fb02edd22", "type": "query", - "version": 111 + "version": 110 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "M365 Identity User Brute Force Attempted", "sha256": "ebb4f079a3090c488a142f1c993638ab122995c8ec1213052b508848e1fc433d", "type": "esql", - "version": 419 + "version": 418 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e528a3c860f8f8de6eb7bceeebeefd1cf6ab283b09db3f9bc9ece6beb6fa532a", "type": "query", - "version": 214 + "version": 213 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "rule_name": "Attempt to Clear Kernel Ring Buffer", "sha256": "cc0c2851cb9e2e1facc925729c2f7cca24af0ac04d12a8ebdbe16870cdb540a3", "type": "eql", - "version": 111 + "version": 110 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "M365 Exchange Mail Flow Transport Rule Modified", "sha256": "58f1574c18c76838ab7233c8367023b61bc2ee9fe19c6de7f38cfd9a9f760b08", "type": "query", - "version": 214 + "version": 213 }, "27569131-560e-441e-b556-0b9180af3332": { "min_stack_version": "9.4", @@ -2225,62 +2219,62 @@ "rule_name": "Unusual Privilege Type assigned to a User", "sha256": "07ea6892290d7a3ab379ca9ae743312e7ac639accd3a42b44ef6d882debc7788", "type": "machine_learning", - "version": 105 + "version": 104 }, "275b972d-2fed-44fc-9214-08603b3318e3": { "rule_name": "M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)", "sha256": "1cb9831d107472766f76dbe7ca4eee784b4004fa2ba6f977d2475b01da030a77", "type": "query", - "version": 2 + "version": 1 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "c46e02d9df71ee1e22ed5ac8f5ba1d5afab07283bd6ea70286a84474f4017c06", "type": "eql", - "version": 216 + "version": 215 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", "sha256": "bb286cf8785e506f2b849cf456c03c150eef1646b3cba7375baf550e2adbbe61", "type": "query", - "version": 110 + "version": 109 }, "279e272a-91d9-4780-878c-bfcac76e6e31": { "min_stack_version": "9.3", "rule_name": "Suspicious Process Execution Detected via Defend for Containers", "sha256": "f59668d5789c20ac3063485cf2e2475dee1cca5257adcd26dd6792bd6a9611aa", "type": "eql", - "version": 4 + "version": 3 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Deprecated - M365 Teams External Access Enabled", "sha256": "bc0c0b0a6a0f4f1cdef846be5717cc774ae8cfcf0c777765f28656c16ed58484", "type": "query", - "version": 215 + "version": 214 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", "sha256": "7b6619e4799f5c51aac53ea894d15478f84f6ed434bf2f15f94fdf0570761aa1", "type": "eql", - "version": 223 + "version": 222 }, "283683eb-f2ce-40a5-be16-fa931cb5f504": { "rule_name": "Newly Observed Palo Alto Network Alert", "sha256": "6950c8ed18d7697993f1a1159f6bc0a7eb141aaff4f0243575894da36997a1b8", "type": "esql", - "version": 4 + "version": 3 }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", - "sha256": "ce81951ab3d4a4fdf53ec1d89559c7146d3adb5b6d73f7e417446e8307628be9", + "sha256": "b8cf9700d169c0901439e2d0562728548640e7e876af9ac5968766217cb1f804", "type": "esql", - "version": 7 + "version": 6 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "27990b18c9a88be12901538e00f7518df2e6955d7e6825b3e6c043688e68414d", "type": "eql", - "version": 217 + "version": 216 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", @@ -2304,67 +2298,67 @@ "rule_name": "AWS STS Role Assumption by User", "sha256": "7dc5f160fa3c93691ca733218c01f5481e0fe164bd1f9b1f0beb35a7763ec43d", "type": "new_terms", - "version": 10 + "version": 9 }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", "sha256": "40709b37a372f451eb19142e62244babb6f19d932ff23febe70379c94e8fd0e6", "type": "eql", - "version": 8 + "version": 7 }, "28d39238-0c01-420a-b77a-24e5a7378663": { "rule_name": "Sudo Command Enumeration Detected", "sha256": "08cd9c8ade957eb4b22e7e97107ab12ebabd91467a861afb99e3b6a377becb68", "type": "eql", - "version": 112 + "version": 111 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "rule_name": "Privilege Escalation via SUID/SGID", "sha256": "46f7be3e59656893dfb3bcec2a1f30e7e118a703b4c52bfa1c61fee7207354ef", "type": "eql", - "version": 113 + "version": 112 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation", "sha256": "c58523c3504b477306897ad712fc266a3409aef8c601706b879c32f1efb654b3", "type": "eql", - "version": 12 + "version": 11 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", "sha256": "a2e0780759a02c4f019ded2450fbab0521f281a7495b1d6381ce9a065acc3db6", "type": "query", - "version": 215 + "version": 214 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "fbac4cf97fd5011fda908f1d0adbb902d2728ecf40da761102b508c43548ccd5", "type": "eql", - "version": 324 + "version": 323 }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "bc5e8ceab279abfed41e634d0a0a4597dfc4c45c9963a0bdec070875fe0f1010", "type": "new_terms", - "version": 425 + "version": 424 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4cacb8f8a73738c053cb1f103e94a0cc342a31b5e595c2d0c90538fa08e8238b", "type": "new_terms", - "version": 422 + "version": 421 }, "29531d20-0e80-41d4-9ec6-d6b58e4a475c": { "rule_name": "Alerts in Different ATT&CK Tactics by Host", - "sha256": "68c808fa2cb139fbf87fada5fe4b7c7f653dc3727a5799983ac5f5a819e14d60", + "sha256": "c5405c7e3f88cfc2000c94b4c7b8d38c9d2a26b546e452f9ed097e0da1aaa240", "type": "esql", - "version": 6 + "version": 5 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "bb3f43e51cf57903cac31eea9b1da4e3c0c5398f11a673b5e3fd5770b25477f4", "type": "query", - "version": 211 + "version": 210 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2376,37 +2370,37 @@ "rule_name": "Linux SSH X11 Forwarding", "sha256": "e4c869cb3edc72947fd52af59a07d158d9df906cfd5b80d6dcca840734074fe7", "type": "eql", - "version": 110 + "version": 109 }, "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft Graph Request User Impersonation by Unusual Client", "sha256": "c79bf8bb0d94aaff02709efc88bdd456c06752b9e7d41a5a34bd1eeb99eed3f1", "type": "new_terms", - "version": 9 + "version": 8 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", "sha256": "bb5d868d2632e7b5a662737cfdddf49f0aa78a0d0dda0cad6b4104330cad37ec", "type": "eql", - "version": 14 + "version": 13 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod Created with a Sensitive hostPath Volume", "sha256": "dffee6f1f33580e6cf14dd782f8158c3b7c55b5f30b1db84f04f44d575386b26", "type": "query", - "version": 211 + "version": 210 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "rule_name": "ESXI Discovery via Grep", "sha256": "37999a3afa79aa321127ff14e5839d96e719daa04d68b38cc7f79924c59a8982", "type": "eql", - "version": 114 + "version": 113 }, "2b9a3b7a-0891-4a89-abbe-dca753c403cd": { "rule_name": "Multi-Cloud CLI Token and Credential Access Commands", "sha256": "61952dce699974e95e7f7709554d81d3e2ab7e7bee7a9126f8a648e53b3da84f", "type": "esql", - "version": 2 + "version": 1 }, "2bca4fcd-5228-4472-9071-148903a31057": { "min_stack_version": "9.4", @@ -2422,67 +2416,67 @@ "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", "sha256": "b87efefef846486cad6bc17aa7c220a3833b848d4ca87f09c1f5defda9cb428d", "type": "machine_learning", - "version": 105 + "version": 104 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Deprecated - Adobe Hijack Persistence", "sha256": "d554c3a9b2cbb27ce03d73fe4c984d648404006ad784e24039acee69e3f2b78f", "type": "eql", - "version": 422 + "version": 421 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "a0709d688ae05f8fc435bd8ca93dda11365bc4a4a944b23ff637780dac62b701", "type": "eql", - "version": 320 + "version": 319 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "8d94d7fb85ae6118469b64123048223e518e64558377b9e2e140fdf98ece2a16", "type": "eql", - "version": 219 + "version": 218 }, "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": { "rule_name": "Newly Observed FortiGate Alert", "sha256": "a03c57f295928b0d76701bfde0f0f24c71f4f0468545519ef16b580061b27cff", "type": "esql", - "version": 4 + "version": 3 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "rule_name": "Potential Foxmail Exploitation", "sha256": "d9b063def75ef74f0205dc26441ae826e4c9cc34b2a6b8634df702cad8b562e1", "type": "eql", - "version": 210 + "version": 209 }, "2c74e26b-dfe3-4644-b62b-d0482f124210": { "rule_name": "Delegated Managed Service Account Modification by an Unusual User", "sha256": "79e8c76a9e9e5c426263821942e3d2ee0a1173e81bbba8aff836e9bd453654cc", "type": "new_terms", - "version": 5 + "version": 4 }, "2d05fefd-40ba-43ae-af0c-3c25e86b54f1": { "rule_name": "BPF Program or Map Load via bpftool", "sha256": "b89854776ad866f757ee1469315dad87cb628a427e71fe40f741a0aaf4c53d5e", "type": "eql", - "version": 3 + "version": 2 }, "2d3c27d5-d133-4152-8102-8d051619ec4a": { "rule_name": "Potential Okta Password Spray (Multi-Source)", "sha256": "0b3754763f9388a104514203cdb27b710d8d0b5bd654671deb494bdd5568496a", "type": "esql", - "version": 4 + "version": 3 }, "2d58f67c-156e-480a-a6eb-a698fd8197ff": { "rule_name": "Potential Kerberos Relay Attack against a Computer Account", "sha256": "9535ca2df0f4875a40fddd9343363a41368fc737d08a1ae532dccc3fbb98f4ff", "type": "eql", - "version": 4 + "version": 3 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", "sha256": "71c4ced0fea8eaf9a81fbfcf8c97f73a25c05b08abfa5fd1302a51843c64a4fc", "type": "eql", - "version": 212 + "version": 211 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { "min_stack_version": "9.2", @@ -2512,49 +2506,49 @@ "rule_name": "Entra ID Excessive Account Lockouts Detected", "sha256": "f5a1ec4caef511f8190ed9a710be895fecebe6b72f29b03da749e5e4dea0b10b", "type": "threshold", - "version": 307 + "version": 306 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Unusual Kernel Module Enumeration", "sha256": "08ee164b5d1ce75b39808742849277e8261cb5961e4beed4e5b5884da7e12ccd", "type": "new_terms", - "version": 216 + "version": 215 }, "2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected", "sha256": "2038641850ec7f59a724389fa9c574dc5e7afde97a91a20ad4e700087c05d191", "type": "esql", - "version": 4 + "version": 3 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "58b8a1746c1b88f41ce38c583a0eb3520a1689f8a019913516571f21b3c095fa", "type": "eql", - "version": 317 + "version": 316 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "rule_name": "Potential THC Tool Downloaded", "sha256": "2fdf4a036c7f0d6c3aa8e7d60e6415e5dce3b059e32369e04f6f992f75d652cf", "type": "eql", - "version": 110 + "version": 109 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "M365 Identity Unusual SSO Authentication Errors for User", "sha256": "dfbe6f2be34fc93b6ac0c780444a2c505c8154462a23a5c434332da089103385", "type": "new_terms", - "version": 216 + "version": 215 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "0e40b02258f08b8dd3d44d58c4d7ea172b3879f29c4811844a892121c0fed325", "type": "eql", - "version": 218 + "version": 217 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { "rule_name": "Potential File Transfer via Curl for Windows", "sha256": "4d04954b58f65d7b8123c4875c6283eb3f8855e6fdbb706299800c4893aede50", "type": "eql", - "version": 9 + "version": 8 }, "2e08f34c-691c-497e-87de-5d794a1b2a53": { "min_stack_version": "9.4", @@ -2570,31 +2564,31 @@ "rule_name": "Unusual GCP Event for a User", "sha256": "dc4770ad5a8fc4f77f6dc6d6459c0bc5cd738459a7a2d9d13172cce489ef203b", "type": "machine_learning", - "version": 103 + "version": 102 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed Automation Script Interpreter", "sha256": "3412a61dea3f79000826b1ee35082aa9044c9d26e298c59e772d420c3d4fa016", "type": "eql", - "version": 220 + "version": 219 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", "sha256": "1f1201ba99d2842ffbcad3d15b1dcb747040fe2b58cd03c3b0438ef39413824f", "type": "query", - "version": 220 + "version": 219 }, "2e311539-cd88-4a85-a301-04f38795007c": { "rule_name": "Accessing Outlook Data Files", "sha256": "049befdbf6cac7da7b115ab1a497a5d04ad6940c94e04cc89ac097e309c67f89", "type": "eql", - "version": 110 + "version": 109 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "df2a80de2f7d6b43a02835be633a2f088deee19945762258bc20fc1770fc3718", + "sha256": "4abe9b19327d050b9a6b99c9ba1b465c25650d2afc82f39672d95f6cf38625d6", "type": "esql", - "version": 313 + "version": 311 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -2606,7 +2600,7 @@ "rule_name": "Creation of a Hidden Local User Account", "sha256": "64c4671959fc9fd3a93eb924ddb2c5a70a6f113b1602871a7029d7ce573fafbe", "type": "eql", - "version": 318 + "version": 317 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", @@ -2618,31 +2612,31 @@ "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "99ac9ef863cee31dd240561777099c022934a3cf76997d70d1b0f0b1414e32e2", "type": "query", - "version": 218 + "version": 217 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", "sha256": "83c3b8bb65af1b682a4e4e22bda3b0c8c4a7a01490b7e1a9add4b5b211590631", "type": "eql", - "version": 218 + "version": 217 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", "sha256": "f6b06ba2f41bccdff7861549bc087a2e1fae2ef2c4959ad2911665a2c04a9887", "type": "eql", - "version": 9 + "version": 8 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "b9b13ab82fce4582270516eb4103335c297e09ba1fb18b9305104084893f8432", "type": "eql", - "version": 114 + "version": 113 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "20024501f2158ecc1863a29ac71a7d5452d113ceaf3da322ec0b480574f1f462", "type": "eql", - "version": 220 + "version": 219 }, "301571f3-b316-4969-8dd0-7917410030d3": { "rule_name": "Malicious Remote File Creation", @@ -2654,25 +2648,25 @@ "rule_name": "GCP Firewall Rule Creation", "sha256": "b7443e73c34b63ea64aef8d2a73cdda1561793b4fc5ae82d1e23eddb58d45ed8", "type": "query", - "version": 110 + "version": 109 }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", "sha256": "45bc415cfbe47728cd85f5beb1db8210f3b2d2d740e54e02b7f5fc7ef97b9cad", "type": "eql", - "version": 9 + "version": 8 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "rule_name": "ESXI Timestomping using Touch Command", "sha256": "0803b6abb72d53ff4e03e0a82bb6729e4adceebe4e21f5846840b73ad1105a91", "type": "eql", - "version": 113 + "version": 112 }, "30d94e59-e5c7-4828-bc4f-f5809ad1ffe1": { "rule_name": "Suspicious File Made Executable via Chmod Inside A Container", "sha256": "9fc179c299f0a00f746636e748563c34ee24c5ec85c28140a77bf0831f50e7b9", "type": "eql", - "version": 5 + "version": 4 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Deprecated - Network Connection via Sudo Binary", @@ -2684,13 +2678,13 @@ "rule_name": "Windows Script Execution from Archive", "sha256": "67a5e91404e6ae67e3f18a6dcfdac04ab77bc9dc55998558cbd6060067d8b9ab", "type": "eql", - "version": 5 + "version": 4 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", "sha256": "9096aa293720333cac0af019ee0209adf832956537108d1a8d905ba213834be7", "type": "new_terms", - "version": 10 + "version": 9 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID", @@ -2708,43 +2702,43 @@ "rule_name": "M365 Security Compliance Admin Signal", "sha256": "90ffab6d1e834727e5298c1c2a328ad9bf215065fe05525952503f932988d826", "type": "query", - "version": 3 + "version": 2 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", "sha256": "9668e85c8c56efdd809ccb17f4857ac12f4747e89dfd9d6b2f9d01c51a38a846", "type": "eql", - "version": 324 + "version": 323 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "4ad2ee73bd7cdbe3735b30d3a6b59541b724d90a3fd64c19100f94bb7f778ed6", "type": "query", - "version": 110 + "version": 109 }, "32144184-7bfa-4541-9c3f-b65f16d24df9": { "rule_name": "Potential Web Shell ASPX File Creation", "sha256": "620c207c86f94a7f5fa5ac75c072ca7504ecdc374a9a45ffaa54cfafe6ac449a", "type": "eql", - "version": 5 + "version": 4 }, "3216949c-9300-4c53-b57a-221e364c6457": { "rule_name": "Unusual High Word Policy Blocks Detected", - "sha256": "ea6f2ae258927c808b9260a4a79009dc6f859468792276d8d246a24a8f0523c2", + "sha256": "07e7e04210b862e96b27eee443227c6a1fbed5882d062ae1d78886a0a1d0da3e", "type": "esql", - "version": 7 + "version": 5 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "230128099a762e79453143aa42805708865110bb5debd68d2c3c1aa35a550290", "type": "eql", - "version": 10 + "version": 9 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure VNet Network Watcher Deleted", "sha256": "a11689594efe1a3ce6bc4114c4104ae80acfd08c3f4d742549b9ff40fc94afb5", "type": "query", - "version": 110 + "version": 109 }, "3278313c-d6cd-4d49-aa24-644e1da6623c": { "min_stack_version": "9.4", @@ -2760,31 +2754,31 @@ "rule_name": "Spike in Group Application Assignment Change Events", "sha256": "881770a8cf25c413c1ddb170eab543e5879b4573f6dd9fd8a4f758493bbba738", "type": "machine_learning", - "version": 106 + "version": 105 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "2d2ccd5ca54ed008472b8563442cef7bcbcfcca9773cf6cde8664d01bbf84c78", "type": "query", - "version": 111 + "version": 110 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", "sha256": "62c090223fc384970eab9eccabb23b4fe6793807b12491b26d209885275a6838", "type": "eql", - "version": 322 + "version": 321 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Atypical Region", "sha256": "bb2c0bbdce32e798e3e71ac54587b14911474b0bab1aba3c31fdff2cd236c318", "type": "new_terms", - "version": 12 + "version": 11 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", "sha256": "2b1d36af98d52e7c651c30532ec344b2145caeebab5862029eebf1639017c1e6", "type": "eql", - "version": 423 + "version": 422 }, "32f95776-6498-4f3c-a90c-d4f6083e3901": { "min_stack_version": "9.2", @@ -2800,13 +2794,13 @@ "rule_name": "Potential Masquerading as Svchost", "sha256": "0ae3b4874845b5b362efeaabd67d839e505a3c44968966093c21c4555b3d02d5", "type": "esql", - "version": 105 + "version": 104 }, "3302835b-0049-4004-a325-660b1fba1f67": { "rule_name": "Directory Creation in /bin directory", "sha256": "ced597d9501b078532ec2d68b3248faa95d307cc6fe32bbf812094b1072877b2", "type": "eql", - "version": 108 + "version": 107 }, "332ecb5b-08b6-47e9-885b-3cee1de74bac": { "rule_name": "Kubernetes API Server Proxying Request to Kubelet", @@ -2818,38 +2812,38 @@ "rule_name": "AWS IAM User Addition to Group", "sha256": "8740915ad9d3542a4b6dad50ca626d2efd14c8e2fa9e2dde5944d3f5fa80fa3e", "type": "query", - "version": 216 + "version": 215 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "rule_name": "ESXI Discovery via Find", "sha256": "a71d83b3ee92c09090ce8fd23ebd63f59231a2edccb9bd6886660caebecd03aa", "type": "eql", - "version": 114 + "version": 113 }, "33c27b4e-8ec6-406f-b8e5-345dc024aa97": { "rule_name": "Kubernetes Events Deleted", "sha256": "18095b5a2473c932c2b35399552cbb87b2b648148c1ffed71425d9c909e8016d", "type": "eql", - "version": 4 + "version": 3 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", "sha256": "ba3fdfb67c7a505e71feb3c1bb53052fa31ed7aeb2b5b9c5f1951cec0c9d3f92", "type": "eql", - "version": 117 + "version": 116 }, "33ff31e9-3872-4944-8394-81dae76c12d9": { "min_stack_version": "9.3", "rule_name": "Potential Cluster Enumeration via jq Detected via Defend for Containers", "sha256": "01dc99277408753626228faea19f9692f74986b27893fa10d56ec72f7f599cba", "type": "eql", - "version": 2 + "version": 1 }, "341c6e18-9ef1-437e-bf18-b513f3ae2130": { "rule_name": "Potential Privilege Escalation via SUID/SGID Proxy Execution", "sha256": "8d52f8c87d55bec0b5f01ab261889d2ac07ff3c6a7eb1cbed03398fb111be726", "type": "eql", - "version": 4 + "version": 3 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "min_stack_version": "9.3", @@ -2865,7 +2859,7 @@ "rule_name": "Dynamic Linker Modification Detected via Defend for Containers", "sha256": "42eccedf47d0083269869acb142a647cebd64cd97a02f2693448c5df83b68fc3", "type": "eql", - "version": 105 + "version": 104 }, "344e6c7d-ceb0-4f20-ba04-7c75569a7e38": { "min_stack_version": "9.3", @@ -2878,31 +2872,31 @@ "rule_name": "GitHub Repository Deleted", "sha256": "9dbead37db4773f09b4ed758283f61fe7e4562772482b18e75416654a8fe2c4c", "type": "eql", - "version": 208 + "version": 207 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", "sha256": "8ab449b25259296b7454c26d1a88b78d5c22b67f6c82f767508ffb494c3f8b15", "type": "new_terms", - "version": 8 + "version": 7 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", "sha256": "98c05891ac1d062019fd7be22d345704b8cce6b75f1ae4ec8d9787e51f40a22b", "type": "query", - "version": 114 + "version": 113 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", "sha256": "a1843f580774fd27510d03b658a031fe4440da62ef0c574ddbe795d7f77b20e2", "type": "eql", - "version": 112 + "version": 111 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", "sha256": "3ced595dce2cd24c4727be69b9fa601479fd2f2f80457f720c694e678a28b875", "type": "eql", - "version": 420 + "version": 419 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "min_stack_version": "9.4", @@ -2918,31 +2912,31 @@ "rule_name": "Spike in Bytes Sent to an External Device", "sha256": "bff333b259468a39c107b211f1ba6331060aa97c23f5486f3654fce8a3dd4361", "type": "machine_learning", - "version": 109 + "version": 108 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "rule_name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)", "sha256": "07c165d99fb8e82989dfd95f7c238c2624bf70169acdf0a73405eb1cb4353b39", "type": "esql", - "version": 112 + "version": 111 }, "35c029c3-090e-4a25-b613-0b8099970fc1": { "rule_name": "File System Debugger Launched Inside a Container", "sha256": "898841494b2ae4193ff42978ce0f1807a55816bb416aadf5c4e073b0fc9b51bc", "type": "eql", - "version": 4 + "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", "sha256": "e3d3be616bcb1a086a207ba505b838f699ef299089fdeaab832fca7e48b4df09", "type": "eql", - "version": 323 + "version": 322 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", "sha256": "7f796d399910edf9f262f06a682761ddce112875ea599e8027c80503e3a0f50d", "type": "machine_learning", - "version": 110 + "version": 109 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -2954,25 +2948,25 @@ "rule_name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs", "sha256": "57d3c6aff18828252ee65176a27549f6eee324fd1ce7552e0823c3f487c57852", "type": "esql", - "version": 10 + "version": 9 }, "36755b43-a1f9-4f2c-9b61-6b240dd0e164": { "rule_name": "Executable File Download via Wget", "sha256": "71221bb9da8496eb982f703abdfa41780325a6d81b484361e1c41ae00352f8bf", "type": "eql", - "version": 2 + "version": 1 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", "sha256": "976ac418b90849b5394d30625f9e55b98b84485146dec6f035af51f5458f7378", "type": "eql", - "version": 116 + "version": 115 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", "sha256": "dcdf537347147dc3930fd8c5892863eea0a265f5f89c49b351a4fbab410ef039", "type": "eql", - "version": 316 + "version": 315 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "min_stack_version": "9.4", @@ -2988,25 +2982,25 @@ "rule_name": "High Mean of Process Arguments in an RDP Session", "sha256": "1345a788253e2c63d8198472d6d8d2321ce9775b581b4897330441bc864b31eb", "type": "machine_learning", - "version": 110 + "version": 109 }, "37148ae6-c6ec-4fe4-88b1-02f40aed93a9": { "rule_name": "Command Obfuscation via Unicode Modifier Letters", "sha256": "45fa53855ae8537315bde347efa3cf473c4337ad0ebf67a01599501247d6c287", "type": "eql", - "version": 4 + "version": 3 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "rule_name": "Potential Suspicious File Edit", "sha256": "bc478d05a000303ff85de650bc9b7604b2b57a7444f80337b05fca226b44d9a1", "type": "eql", - "version": 111 + "version": 110 }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { "rule_name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)", "sha256": "771ca76a55853827aa9d3ea8bd44a66201d54913b3bc91e9e331a2dbdf94e5e7", "type": "esql", - "version": 10 + "version": 9 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "Deprecated - AWS RDS Security Group Creation", @@ -3018,7 +3012,7 @@ "rule_name": "Entra ID High Risk Sign-in", "sha256": "dd4b0b5074d56377ff3963b0e687dbe6e92954a3604dd00a66f4749fcff3c16b", "type": "query", - "version": 112 + "version": 111 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", @@ -3030,13 +3024,13 @@ "rule_name": "AWS SSM `SendCommand` Execution by Rare User", "sha256": "b88228a38401d3cfaf88a020153942655bee03db41be8d1b12f2d0468b9a694a", "type": "new_terms", - "version": 217 + "version": 216 }, "37cb6756-8892-4af3-a6bd-ddc56db0069d": { "rule_name": "Disabling Lsa Protection via Registry Modification", "sha256": "c647076f76477dd2aa512614840acda934b1f94328c2a08ba9db4111d921b1c2", "type": "eql", - "version": 8 + "version": 7 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { "min_stack_version": "9.4", @@ -3052,110 +3046,110 @@ "rule_name": "Spike in User Account Management Events", "sha256": "8f1c726255a1e3944db11d55a3907a360b2e08797aa0a0789c2980987625af7f", "type": "machine_learning", - "version": 105 + "version": 104 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "3be1e2737e17c3a4630ef9d45bc0d60c92d160dd2a665283457ac04e3c122a97", "type": "eql", - "version": 213 + "version": 212 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "rule_name": "Attempted Bypass of Okta MFA", "sha256": "d497cf9ebba367ccc27ffa60c83adad1b1c4ca123ed732867ca75c61a9e34383", "type": "query", - "version": 416 + "version": 415 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", "sha256": "5e7901e98b0caf7d6571576af6676f95d6a1f8af52f4b9f99a6b7ffe6c6ea881", "type": "eql", - "version": 220 + "version": 219 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with Osascript", "sha256": "82a7a287cd5ac7dcb591e035ffdecd15f555737bed999611a2fc015ac0aeeb4e", "type": "eql", - "version": 216 + "version": 215 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Impossible Travel Location", "sha256": "dcf59b2a5eb9cea3fa3b28c42371c01991bf37cf31e626317797923adb7af039", "type": "threshold", - "version": 11 + "version": 10 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "Entra ID User Added as Service Principal Owner", "sha256": "8391a444b3933bf47281a3af89558637258d16499151f4d19fb9bd5010de3f72", "type": "query", - "version": 110 + "version": 109 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { "rule_name": "External User Added to Google Workspace Group", "sha256": "1d4f576cece46f98cac0186d4b7686f927c4329e6bf393a9cbd159dbfb4770d9", "type": "eql", - "version": 8 + "version": 7 }, "39029450-8e2d-4034-81b0-15af8e4e3a4e": { "min_stack_version": "9.3", "rule_name": "Nsenter Execution with Target Flag Inside Container", "sha256": "012976abca9dfba1327ea6926edf0cf40d0126e26937b9ba13570d2367d1af56", "type": "eql", - "version": 2 + "version": 1 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "fd463b53155f11c4465a2ebddd880793fb50c8d7cbb164ae7e172dae791842f3", "type": "query", - "version": 214 + "version": 213 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", "sha256": "0cd2d8329df50935d117f1e8f8cbd8a6b749d5098aea10fb2ce8095fd4b8e0ce", "type": "eql", - "version": 8 + "version": 7 }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "57cb5c793a1562360738c9ecc43ca2dbfa62d0d194f6bd2e5299f49bf0ce2b12", + "sha256": "ea50abca6b44953d8810e58b35a4ab0f2e456efc1ccb2adb65d1840d162060f7", "type": "esql", - "version": 10 + "version": 8 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "d1265b8223c6c20063ff460b62984e6ca6f864de6a66513d32508de2ade0d0bb", "type": "eql", - "version": 315 + "version": 314 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", "sha256": "ba955d67667f012e2b16b7f60f9d67344026b1c6964d11f2dd1da09cd04fa97e", "type": "eql", - "version": 9 + "version": 8 }, "3a01e5c6-ce01-46d7-ac9f-52dc349695fb": { "rule_name": "Kubernetes Anonymous User Create/Update/Patch Pods Request", "sha256": "7f2bf812108252f0c2cec448e9f10dfff725021983a612df901b4dd4d36b49c7", "type": "eql", - "version": 4 + "version": 3 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "046338d3b95b4b4a22498cb8fdd538e20619623197e2a583d8477e82f2f07c9c", "type": "eql", - "version": 317 + "version": 316 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", "sha256": "796e8f216c09cde2bcb8f6dea7f1570c7759d3a27fe86d229895f85ff629118d", "type": "eql", - "version": 16 + "version": 15 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "rule_name": "Rapid7 Threat Command CVEs Correlation", "sha256": "578f758b47b1aead0b38e093c09d6cf0b68b2f4f3b8412cb9e7a7aec89f7c7c9", "type": "threat_match", - "version": 108 + "version": 107 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -3167,37 +3161,37 @@ "rule_name": "WDAC Policy File by an Unusual Process", "sha256": "bd13988291b5cb72058e02ddbb6ad4616961a1b28e358601ef15c1d62837d8e6", "type": "eql", - "version": 8 + "version": 7 }, "3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": { "rule_name": "External IP Address Discovery via Curl", "sha256": "8b76cd9c1817c00cade7709946be584ee7ae14b634434ca378634e3d717e5172", "type": "eql", - "version": 2 + "version": 1 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "6c9b9155e809656088fdd932c9134a2986d4809c75cadec68224554ef6c76397", "type": "query", - "version": 112 + "version": 111 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure VNet Full Network Packet Capture Enabled", "sha256": "e200432935afd9d703887c7f3ef678e67887553e91570a46e0f59f266667eb62", "type": "query", - "version": 111 + "version": 110 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "9b60a36c69eb59819eabf8baff81ce0f4d7f7c8663d59efc062d57990122d231", "type": "new_terms", - "version": 208 + "version": 207 }, "3aff6ab1-18bd-427e-9d4c-c5732110c261": { "rule_name": "Suspicious Kernel Feature Activity", "sha256": "e15b8360b5fa96f7f261912197ae09404a3268f8229561e6bcc3f39b7d56448b", "type": "eql", - "version": 6 + "version": 5 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -3209,31 +3203,31 @@ "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "ad8c4fc9a44c93f4c1ca79d8954e509b790c3bd3199a8ea3bcdc21e55aee6a8d", "type": "eql", - "version": 419 + "version": 418 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", "sha256": "9354b45311be9fe16a9acb746a33c1bd4a40f927d7efdef1f097f9708c29702d", "type": "eql", - "version": 322 + "version": 321 }, "3c216ace-2633-4911-9aac-b61d4dc320e8": { "rule_name": "SSH Authorized Keys File Deletion", "sha256": "8ccc9ffefdcb3516217cb8bcec790571ad1559f608b2eb380758df09de98a993", "type": "eql", - "version": 7 + "version": 6 }, "3c3f65b8-e8b4-11ef-9511-f661ea17fbce": { "rule_name": "AWS SNS Topic Created by Rare User", "sha256": "3216757a897e26e81d8b37469ca11d9cd83cf3bde8bc78df45c871a1e4051459", "type": "new_terms", - "version": 7 + "version": 6 }, "3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7": { "rule_name": "AWS GuardDuty Member Account Manipulation", "sha256": "a40514c715a70b1163a1e1f528f68857ffc2122ec3f68c23b33c12e87aee77c9", "type": "query", - "version": 3 + "version": 2 }, "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": { "min_stack_version": "9.3", @@ -3249,7 +3243,7 @@ "rule_name": "Potential Impersonation Attempt via Kubectl", "sha256": "6f05c685fff2f027e142e25e5d1e4228ecf4ff2b4714298055101681504880f5", "type": "eql", - "version": 105 + "version": 104 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "9.4", @@ -3265,43 +3259,43 @@ "rule_name": "Unusual Linux Network Port Activity", "sha256": "21ab8bdde2ddb498cb6c6edcdfd953b4b9690ca4b6075b3281943bbb160799e3", "type": "machine_learning", - "version": 210 + "version": 209 }, "3c82bf84-5941-495b-ac41-0302f28e1a90": { "rule_name": "Kubernetes Sensitive RBAC Change Followed by Workload Modification", "sha256": "f137913826f4dfb346b155061fef745d733d9ac84ad693ed6646cd5fa68123b8", "type": "eql", - "version": 4 + "version": 3 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", "sha256": "b6ed31a8880a5bf50d74e9dcc03e8b2cb2a5102bcb585e66bfe54222fb8eb4d7", "type": "eql", - "version": 8 + "version": 7 }, "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { "rule_name": "Unusual Pkexec Execution", "sha256": "fe48ab4d99dcee0d5c5d78d13fd52a051728cc3f40f8e2da36a99717430d3944", "type": "new_terms", - "version": 108 + "version": 107 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "b1672954e193a08ee14cf25ad9a926ef7c6d72374b4b36e9fa0067a9ee840fe4", "type": "eql", - "version": 212 + "version": 211 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "c659f3531861796f257f84b285c8bc268159860e17ada2092b5ddb0004cc8f68", "type": "query", - "version": 212 + "version": 211 }, "3db029b3-fbb7-4697-ad07-33cbfd5bd080": { "rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins", "sha256": "00f3734aeadad18ecaa1bb530c67b46dd2d9a77276365492a19c14fc174dea3a", "type": "esql", - "version": 7 + "version": 6 }, "3dc4e312-346b-4a10-b05f-450e1eeab91c": { "min_stack_version": "9.3", @@ -3314,13 +3308,13 @@ "rule_name": "AWS SNS Rare Protocol Subscription by User", "sha256": "32680ca1127f1b7e76119a007029e178da00282028a5aa539ca6d3520f448c0f", "type": "new_terms", - "version": 11 + "version": 10 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", "sha256": "781c416727462ac0e014347828b7c261ba04967713972c298db7516882f130ba", "type": "query", - "version": 216 + "version": 215 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "min_stack_version": "9.4", @@ -3336,55 +3330,55 @@ "rule_name": "Spike in Number of Connections Made from a Source IP", "sha256": "81349653c7bef22cf29580e3ace788925cb5a9d8b543e05fb97f9a36da0e0796", "type": "machine_learning", - "version": 110 + "version": 109 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "d63e463099820ef415fca37e369392f17e227ba4229ff8aa8e48ff9dac348e8b", "type": "eql", - "version": 214 + "version": 213 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", "sha256": "0a649a755936c4b5da4883d2cb39416fee6ed20ff38954671bfa71ebcf3d8581", "type": "eql", - "version": 9 + "version": 8 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", "sha256": "c586b75e397cda63031abb53a78c714e80a8a1dfb2d133d0e35827dcba2a6902", "type": "eql", - "version": 114 + "version": 113 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", "sha256": "5dc58754cc4f82d45abfe4dc812f1a4e4823e795adf94e534fd630f2b61d6105", "type": "eql", - "version": 9 + "version": 8 }, "3e528511-7316-4a6e-83da-61b5f1c07fd4": { "rule_name": "Remote File Creation in World Writeable Directory", "sha256": "fc8e3c202ef830d2941a6ad711b2144582b8312d846d1a75ced12e2f63f22a80", "type": "new_terms", - "version": 8 + "version": 7 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "4fe6e4dfb6e7e93063fa4911b3c2025b8492162b1f28e177045abb5224eb1bbc", "type": "eql", - "version": 320 + "version": 319 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "rule_name": "Suspicious Process Creation CallTrace", "sha256": "eac8a62ca1cd0d0965dc5352545dc9eb7341fceab8cbfa3a9d801b1534511f08", "type": "eql", - "version": 313 + "version": 312 }, "3ee526ce-1f26-45dd-9358-c23100d1121f": { "rule_name": "Linux Audio Recording Activity Detected", "sha256": "25b189c8cc3cec6eaf6f44babd229e8590b233434678bbfcdacb28cdd93364f5", "type": "new_terms", - "version": 3 + "version": 2 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", @@ -3396,31 +3390,31 @@ "rule_name": "CyberArk Privileged Access Security Error", "sha256": "149a70bdcd76cf9bf067b2539841f715ee8df3aa2773e8f4505c24ecda648101", "type": "query", - "version": 107 + "version": 106 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", "sha256": "94be773db4ae46451aaa962d086a75466bbd8d1a8f6afdd666d19cf0b51bdcde", "type": "eql", - "version": 13 + "version": 12 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", "sha256": "d0213728bd6f84baef92aa0cfd3502dddef5d9b975a87ca21fabbded914ca935", "type": "eql", - "version": 117 + "version": 116 }, "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": { "rule_name": "Potential Data Exfiltration via Rclone", "sha256": "654c6762675bbe2e86e2cdc5f2883647739cb1d40a8231cdd3156fd69752ad41", "type": "eql", - "version": 5 + "version": 4 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", "sha256": "69d7a45361fa360c7008395ce81012bd3497330d2b62c25ebfd1913cbd58a87b", "type": "new_terms", - "version": 8 + "version": 7 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "min_stack_version": "9.4", @@ -3436,25 +3430,25 @@ "rule_name": "Unusual Time or Day for an RDP Session", "sha256": "88291719875740ebfe930f0d6526a42e8de7f03c6c6eb67af3bfaa96b77b400d", "type": "machine_learning", - "version": 110 + "version": 109 }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { "rule_name": "Command Execution via ForFiles", "sha256": "02b65a2a6c93487298996a9bfedaedb4d1436598cb4267292ef241ebc36be63e", "type": "eql", - "version": 8 + "version": 7 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "rule_name": "Entra ID MFA TOTP Brute Force Attempted", "sha256": "0c901fa65426f1462fb80e4ca2d1faf929654f311d89f202a3280dc35c9ab403", "type": "esql", - "version": 10 + "version": 9 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", "sha256": "719051601ba7f4bc360e488b3f96c381ddee61bc0d99d586137c39964715592e", "type": "eql", - "version": 109 + "version": 108 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "9.4", @@ -3470,91 +3464,91 @@ "rule_name": "Unusual Process Spawned by a User", "sha256": "cb675206bfdfdbd51d00586a43ad5ab1b7a4b7cf9df4e553b7a9d967e5f1d711", "type": "machine_learning", - "version": 212 + "version": 211 }, "4021e78d-5293-48d3-adee-a70fa4c18fab": { "rule_name": "Potential Azure OpenAI Model Theft", - "sha256": "f5943841572ea047091c8d64f568053c517e10ee41b48cb5f13a403583415c62", + "sha256": "95545a1f85bdb02d2df6d31c2bd4f9fc0c6ad61f606abc56c7b749ec0823064c", "type": "esql", - "version": 7 + "version": 5 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "rule_name": "GitHub User Blocked From Organization", "sha256": "7b0f9689a8a45ba9dde72567402b194089a439875f380ef1ece3fbea910dfe3a", "type": "eql", - "version": 207 + "version": 206 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", "sha256": "8672a0625e04b58e7bbe56de0f48ddd08dee74082cfb85e5dc0eb2a5fe9209a2", "type": "eql", - "version": 319 + "version": 318 }, "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": { "rule_name": "New GitHub Self Hosted Action Runner", "sha256": "8bc6935db6bda5ca9d6adfaf7c46a30e9041e429a474d22fb9bea08e8129f9e2", "type": "new_terms", - "version": 5 + "version": 4 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", "sha256": "07ed14815a1ee29d7a2ff5875f8b1a3077e662274428187236ecfb4fc4c0cb80", "type": "new_terms", - "version": 113 + "version": 112 }, "40e60816-5122-11f0-9caa-f661ea17fbcd": { "rule_name": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected", "sha256": "e79dc5d558b08aa2d6a5ac711b6839d68982ebf44258c71d341bd4fa6f8a122c", "type": "eql", - "version": 6 + "version": 5 }, "40fe11c2-376e-11f0-9a82-f661ea17fbcd": { "rule_name": "M365 Exchange Inbox Phishing Evasion Rule Created", "sha256": "070959c714f7a09d058737cad7ec89cc9e40d1ead7af7e3e6b3448b52335f045", "type": "new_terms", - "version": 6 + "version": 5 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "rule_name": "Unix Socket Connection", "sha256": "50405e170ddbf72168eb26b96b10d0ddeef2da2ea25dbc04fd4820ec47ce4aef", "type": "eql", - "version": 110 + "version": 109 }, "41554afd-d839-4cc2-b185-170ac01cbefc": { "rule_name": "AWS Sensitive IAM Operations Performed via CloudShell", "sha256": "f35e27ff8f1f926289ec4c5333d1a66e6a4b7bb6e3d244d9024e2e87f621ec0d", "type": "query", - "version": 4 + "version": 3 }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "ecc40ef6f1887e2552a67ac50b893a78045aa90c933ed8ef9dba6dbc5db45679", "type": "eql", - "version": 320 + "version": 319 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "a44f29bc649117953df7644b522fe34d02e04792ce1995c96d63aefa46581be4", "type": "new_terms", - "version": 208 + "version": 207 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "Deprecated - EggShell Backdoor Execution", "sha256": "ad194c072b22ac1d47da8069b2c2cda6478e3fd76ec7f8dd2e6914f3328b7ecb", "type": "query", - "version": 108 + "version": 107 }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", "sha256": "a194f601c0396232cfc2cf076aec26674df35dbebda99b88ba26210ab1342940", "type": "eql", - "version": 11 + "version": 10 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", "sha256": "5117bb1a4b1e01d38cf252aea6b1d85875d355d76d43d8355a82c5e6c8b94ec8", "type": "eql", - "version": 112 + "version": 111 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { "min_stack_version": "9.3", @@ -3570,7 +3564,7 @@ "rule_name": "Mount Execution Detected via Defend for Containers", "sha256": "4aea5af437fef5fae47cf6ed305293ff950199332e2fb03503525348f1b6cbb6", "type": "eql", - "version": 104 + "version": 103 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { "min_stack_version": "9.3", @@ -3586,38 +3580,38 @@ "rule_name": "Interactive Exec Into Container Detected via Defend for Containers", "sha256": "3beffdc64d3c80e62705d9f9f3a6b6fc92f18bd94136f30202711303713d78b3", "type": "eql", - "version": 105 + "version": 104 }, "428e9109-dc13-4ae9-84cb-100464d4c6fa": { "rule_name": "Unusual Login via System User", "sha256": "5b2247172cc6a9ec4fb03f5f3bb198e0ebbe37e546e0742e0a78510f59e8ba6e", "type": "new_terms", - "version": 8 + "version": 7 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "rule_name": "Potential Okta Password Spray (Single Source)", "sha256": "d564134d98af7a3d81f0386dc3680e01e1259752b63bdb4657a1220d9d26a3c2", "type": "esql", - "version": 419 + "version": 418 }, "42c97e6e-60c3-11f0-832a-f661ea17fbcd": { "rule_name": "Entra ID External Authentication Methods (EAM) Modified", "sha256": "1a5cfbafaa947d1a30a0e36172836401d4ae9185aa8bc05e1c51245e1adeb397", "type": "new_terms", - "version": 5 + "version": 4 }, "42de0740-8ed8-4b8b-995c-635b56a8bbf4": { "min_stack_version": "9.3", "rule_name": "Kubelet Certificate File Access Detected via Defend for Containers", "sha256": "5607487040f92b7d283e36023a5fe5282bf400d31b48f4dbf1eb2ebc42106dca", "type": "eql", - "version": 3 + "version": 2 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "rule_name": "Process Creation via Secondary Logon", "sha256": "dbeba92d4f831b5f36a5a0d99766eb50182c1b60eade9a6452880f4ceb9db0d0", "type": "eql", - "version": 117 + "version": 116 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "9.4", @@ -3633,7 +3627,7 @@ "rule_name": "Unusual Login Activity", "sha256": "ceada163683a969ff0c09eeb47c2a6548ed0c5540c6489baaba37e1279299e79", "type": "machine_learning", - "version": 208 + "version": 207 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -3645,20 +3639,20 @@ "rule_name": "Linux User Added to Privileged Group", "sha256": "4087c9d1fa0fbd63a5994e714de0043354219e1486a90d369e6f9568db609f9b", "type": "eql", - "version": 115 + "version": 114 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "faa296ace7afe520ea4ef4a8f94e73bdaabf18a3fdff2491b9411910a92c7b26", "type": "eql", - "version": 317 + "version": 316 }, "444c8fad-874f-4f59-b0ea-cf26cea478bd": { "min_stack_version": "9.2", "rule_name": "AWS Account Discovery By Rare User", "sha256": "ca6ee51c94c13583db988064c27811dd1667e2ed0c6f855641192291f42480b9", "type": "new_terms", - "version": 3 + "version": 2 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "9.4", @@ -3674,31 +3668,31 @@ "rule_name": "Unusual Windows Path Activity", "sha256": "9521887c113dba587810eda8d843fae683aa907a35cb28d192ad2af4fea6f05c", "type": "machine_learning", - "version": 311 + "version": 310 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", "sha256": "a3ea7556a748c2042b4ddc53356093c97193a916b4a367701ae9c45c75e2d656", "type": "eql", - "version": 8 + "version": 7 }, "44cb1d8a-1922-4fc0-a00f-36c1caf57393": { "rule_name": "Potential snap-confine Privilege Escalation via CVE-2026-3888", "sha256": "2914fe3d40dd1b622e50c819001ef6f6841a9ab90204059631fee0d078b93a01", "type": "eql", - "version": 3 + "version": 2 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "rule_name": "Multiple Vault Web Credentials Read", "sha256": "4674d5f4a49d989f5bd2e7c5a3c68c4cb0b3c01bd3785dbaf23d881418bbd326", "type": "eql", - "version": 117 + "version": 116 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { "rule_name": "AWS Route 53 Resolver Query Log Configuration Deleted", "sha256": "bdcca3f4e0bc64249b3b8122881ea1261a2d6730802c955c30624c65a57f137f", "type": "query", - "version": 9 + "version": 8 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", @@ -3711,50 +3705,50 @@ "rule_name": "Rare Powershell Script", "sha256": "9c0511f7439e1c00c5d8282719bc8a3a3264846f0c2da4f4f9ee4cdcf7ec335f", "type": "machine_learning", - "version": 2 + "version": 1 }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", "sha256": "e7c9e715dfc5202e3726e02eb0845d9ebc862820f8d6f38bbc831db9a30afacf", "type": "eql", - "version": 9 + "version": 8 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", "sha256": "5dbb2ba25bb9773b3f4cbfe7113bdfbea3297b4abe47e86d665329d81f9ce439", "type": "query", - "version": 217 + "version": 216 }, "45d099b4-a12e-4913-951c-0129f73efb41": { "min_stack_version": "9.2", "rule_name": "Web Server Potential Remote File Inclusion Activity", - "sha256": "55cccf9030c37cae0a910817ffe302dbd00b099b549e8f0441949be7a4241d47", + "sha256": "eac6dd3f878185bf383aa944ce7171b5ac8f06bbac00216eda18a5633aaef77c", "type": "esql", - "version": 7 + "version": 5 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "0ccdfbb0e5e5ffd32a9233c3ddf4f8302da0fb0f0850ce2f8d4581d3fbb3b3e5", "type": "eql", - "version": 221 + "version": 220 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "564bb0d746bd663f81363cdf9ac732590b9f53cb2de5ba98a67f800fb3539a31", "type": "eql", - "version": 322 + "version": 321 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "930128205c02f5c7f26427faefeb2d4bab4bebdacf586a93b0aa5017bef1e78b", "type": "eql", - "version": 319 + "version": 318 }, "46b01bb5-cff2-4a00-9f87-c041d9eab554": { "rule_name": "Browser Process Spawned from an Unusual Parent", "sha256": "9b29139c1b7fd40c89143857a62a03aa09c8e7963ef54f650fff4224dc441f21", "type": "eql", - "version": 5 + "version": 4 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "9.4", @@ -3770,31 +3764,31 @@ "rule_name": "Unusual Process For a Linux Host", "sha256": "e3f402cd3a598b9f2569f90d33ef2259c22ad46f3dc1bdc3c4c5b17eec84f8bf", "type": "machine_learning", - "version": 209 + "version": 208 }, "472b4944-d810-43cf-83dc-7d080ae1b8dd": { "rule_name": "Multiple Cloud Secrets Accessed by Source Address", "sha256": "5e4eae6eda373ea926bb58a7a366c5a8f2927a722bf046ea56b6c12f05a39d09", "type": "esql", - "version": 7 + "version": 6 }, "47403d72-3ee2-4752-a676-19dc8ff2b9d6": { "rule_name": "AWS IAM OIDC Provider Created by Rare User", "sha256": "2b8214da1cdbd0bc040957a0d7526d484399595432c8a33204adcf6632c40bc7", "type": "new_terms", - "version": 4 + "version": 3 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "System V Init Script Created", "sha256": "a68393a005eedad66f216d14894d34d69d69ddf143cc9fa39a2f535685870c6b", "type": "eql", - "version": 120 + "version": 119 }, "47595dea-452b-4d37-b82d-6dd691325139": { "rule_name": "Credential Access via TruffleHog Execution", "sha256": "80cd369aeb6877b1db2b6c12d1783ea6a5d0a624fa9017500b34cad571cef398", "type": "eql", - "version": 5 + "version": 4 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "9.3", @@ -3810,32 +3804,32 @@ "rule_name": "Sensitive File Compression Detected via Defend for Containers", "sha256": "731ba52a513156d8a87d316d77433a64170711f97dc7f177f3f719aea71b3314", "type": "eql", - "version": 106 + "version": 105 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { "rule_name": "Cupsd or Foomatic-rip Shell Execution", "sha256": "653a7ef1791236e63f96af404c6b02046875b405b8037d13ccb1a3e7998ba6fd", "type": "eql", - "version": 108 + "version": 107 }, "47661529-15ed-4848-93da-9fbded7a3a0e": { "min_stack_version": "9.3", "rule_name": "Chroot Execution Detected via Defend for Containers", "sha256": "59db7a4c53b4f3ddb4207c6491c7bd8d81c264d0c04da5d8788ab834607b79d7", "type": "eql", - "version": 3 + "version": 2 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "a5af415e1f2c7a456ca9118e3e4597cc2b0b71a212a73a2fa72bda8e0830cac8", "type": "eql", - "version": 219 + "version": 218 }, "47e46d85-3963-44a0-b856-bccff48f8676": { "rule_name": "DNS Request for IP Lookup Service via Unsigned Binary", "sha256": "5507c058a6bcd349f879a5f5b392db5d4cc807eb70ed4a818f9712aefe6e45a4", "type": "eql", - "version": 3 + "version": 2 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -3847,92 +3841,92 @@ "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "938566ecdd4b7685b7907233ea57cfe0cb348a40ac06c7eb2716b07aab912725", "type": "eql", - "version": 114 + "version": 113 }, "47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5": { "rule_name": "Potential Database Dumping Activity", "sha256": "aad1b6a1095cc1013ae935d6e8045119e05fe3ef4f5834c1f9127be2395959e7", "type": "eql", - "version": 3 + "version": 2 }, "483832a8-ffdd-4e11-8e96-e0224f7bda9b": { "min_stack_version": "9.2", "rule_name": "New USB Storage Device Mounted", "sha256": "68046728274c9ab9c11bc0b39e461e49b9a9b9848f71d7011fe77d57ba59496e", "type": "new_terms", - "version": 3 + "version": 2 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "5a1aba147a9b9f814d2d1b09cd541b22ae6d611c7fd6f3188f5920edab8078c0", "type": "eql", - "version": 319 + "version": 318 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "M365 Exchange Mailbox Accessed by Unusual Client", "sha256": "8a10e8db5467f33d67e8ed3dca2f5a1d079e9d210603960f09e9db3ea9d997c7", "type": "new_terms", - "version": 114 + "version": 113 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", "sha256": "e0d23e8a4ce93e59d053897dac95bd93ea4007fea82aa10026eb0f9cb6aa98c0", "type": "eql", - "version": 16 + "version": 15 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "13da83ae4ff6203a49a32508015f5afa1857f4551dfcaad34b06c929cf1e6a56", "type": "esql", - "version": 120 + "version": 119 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", "sha256": "be6c7b51b8751b54b6b8c450645ccbe983f6d0ad6b84552de2019226faae60b8", "type": "eql", - "version": 112 + "version": 111 }, "48e60a73-08e8-42aa-8f51-4ed92c64dbea": { "rule_name": "Suspicious Microsoft HTML Application Child Process", "sha256": "7c56c9e26607fba3339913474442ef3d7bfbf6293b5c99f54d2eb96881fade95", "type": "eql", - "version": 5 + "version": 4 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "20d159f7d05efe06ca199cdaaa7dbfd309d575bb0863bb8a3abb182ce79e8ac5", "type": "eql", - "version": 111 + "version": 110 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "rule_name": "Remote XSL Script Execution via COM", "sha256": "f1c328ae4209f8dd970135e0448fcc4570c22a584600e6623a6e7b834d57b7a0", "type": "eql", - "version": 9 + "version": 8 }, "491651da-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint/OneDrive File Access via PowerShell", "sha256": "85739e22b434b14be9315877943b9eb3b82ce63928b065f96cb4631cb598768c", "type": "new_terms", - "version": 5 + "version": 4 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "341a8470ad5c7618b7be6e4a50d4bd34a9b8d4df9f021843baa58f4d22af7514", + "sha256": "d94a4754a0bac94045cb963405493f79639e4750d53db7855347719f027c7a91", "type": "esql", - "version": 109 + "version": 107 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "rule_name": "Potential Linux Backdoor User Account Creation", "sha256": "9365957412d43c05676cc64a16e5849fea6369fb83f1f3bc6433834987b4d0c1", "type": "eql", - "version": 115 + "version": 114 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "6d87b2fabfb96262dab24abba760dd06624e339e6f6754d5b80da802c4fcc200", "type": "query", - "version": 112 + "version": 111 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", @@ -3945,13 +3939,13 @@ "rule_name": "Web Server Exploitation Detected via Defend for Containers", "sha256": "4f015b58f7cc44127fa2338b2af0178f6882ee823df52179f218821a49ec03e8", "type": "eql", - "version": 4 + "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "rule_name": "Process Discovery Using Built-in Tools", "sha256": "547cc7d9e89793916feda5f91bfa09fcdb1001369b259f28b1d90f8790b0c8b7", "type": "eql", - "version": 112 + "version": 111 }, "498e4094-60e7-11f0-8847-f661ea17fbcd": { "min_stack_version": "9.2", @@ -3974,7 +3968,7 @@ "rule_name": "Entra ID Federated Identity Credential Issuer Modified", "sha256": "75ce697b7ebba19a90b13ad5c2a00f716b1136889ac57cf0454fb38d2abf3033", "type": "esql", - "version": 210 + "version": 209 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -3986,7 +3980,7 @@ "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", "sha256": "ebb411cb6d8deec435be6983e89ff05cf986d078ea776de1c513732dad30a8a8", "type": "eql", - "version": 112 + "version": 111 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", @@ -3998,13 +3992,7 @@ "rule_name": "Connection to Common Large Language Model Endpoints", "sha256": "e3a857464bccee09ed43658511ac90b4b5e1ab9d35a7e6f562e8222fb1c31356", "type": "eql", - "version": 7 - }, - "4b11dbab-ce37-49c4-bdf1-cdf64b405d96": { - "rule_name": "Entra ID Kali365 Default User-Agent Detected", - "sha256": "d8759e78bb798855a5a61d818a59707d86bb975918b0089e301ce67513530d2d", - "type": "query", - "version": 1 + "version": 6 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", @@ -4016,13 +4004,13 @@ "rule_name": "Entra ID Protection - Risk Detection - User Risk", "sha256": "5df9119f737237a17d5b11d6333596ed6cccdcea1c3d4ddb2115cee9fdf15a27", "type": "query", - "version": 5 + "version": 4 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "712e9f27b5d709ea5f42c73b492a3eb4b4c9d9a749c11b25a0c40218cf62765a", "type": "eql", - "version": 318 + "version": 317 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "9.3", @@ -4038,25 +4026,25 @@ "rule_name": "Container Workload Protection", "sha256": "498945c61a0e56d7dee2199258dd45db789fe0034e64cf69ce36b49ebf2a1568", "type": "query", - "version": 107 + "version": 106 }, "4b74d3b0-416e-4099-b432-677e1cd098cc": { "rule_name": "Container Management Utility Run Inside A Container", "sha256": "4b1c24e5e2fb7b93b9cab43640dcb67a1a8d8023080af350342420b412d954a3", "type": "eql", - "version": 6 + "version": 5 }, "4b77d382-b78e-4aae-85a0-8841b80e4fc4": { "rule_name": "Kubernetes Forbidden Request from Unusual User Agent", "sha256": "88773d78b14a1bcdf590ca88cafbe442d00a5a49f47b498e65a6ac6d4a767133", "type": "new_terms", - "version": 7 + "version": 6 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "rule_name": "ProxyChains Activity", "sha256": "68defaeb26fa351359ae0446628962b14803c4baeff4ee68daf60bf8947ef046", "type": "eql", - "version": 111 + "version": 110 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "min_stack_version": "9.4", @@ -4072,134 +4060,134 @@ "rule_name": "Unusual Process Writing Data to an External Device", "sha256": "1589cefc5200c7e7996d5300845a603f75f00b8ae38c6b4aaf586efc53f66089", "type": "machine_learning", - "version": 109 + "version": 108 }, "4bae6c34-57be-403a-a556-e48f9ecef0b7": { "rule_name": "M365 Quarantine and Hygiene Signal", "sha256": "f2d1e7436634073de94351647b98d9e406d09f11b6250cd96fef280126632366", "type": "query", - "version": 3 + "version": 2 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "ed8dcb92cfeba3e300ed4a8d4692886005db714dc1ec5c71e5b68c0da285cde6", "type": "eql", - "version": 317 + "version": 316 }, "4bd306f9-ee89-4083-91af-e61ed5c42b9a": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Access Followed by Kubernetes API Request", "sha256": "2bd3b29bb1de58aceb5f105d638bee45273c848f3ee80c7cee83e90a04964ee5", "type": "eql", - "version": 4 + "version": 3 }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", "sha256": "7836bbad444d51d5c8299aea810ea766e37ff1aaa90696ff4de74a6882d1fa3a", "type": "new_terms", - "version": 8 + "version": 7 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "rule_name": "PowerShell Share Enumeration Script", "sha256": "53e870fdfb17df75e77e5625dad994b7014b21b3b90229e0436817acaa6aad78", "type": "query", - "version": 117 + "version": 116 }, "4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c": { "rule_name": "Azure Storage Account Blob Public Access Enabled", "sha256": "3a0186ed0069a6b04d772c0376819879b9f3230c5f97929c81fa54bb2ba09635", "type": "new_terms", - "version": 3 + "version": 2 }, "4d169db7-0323-4157-9ad3-ea5ece9019c9": { "rule_name": "Potential NetNTLMv1 Downgrade Attack", "sha256": "66c44401346ad331eee974206935f1739356fbdfa1c05b5c43a96d00aa7cf0d2", "type": "eql", - "version": 6 + "version": 5 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "rule_name": "Kernel Load or Unload via Kexec Detected", "sha256": "ed5b0ee6f9acc299b7d681c6c248927820ed37d3afde535bbf22d1f88c8a5d38", "type": "eql", - "version": 114 + "version": 113 }, "4d4cda2b-9aad-4702-a0a2-75952bd6a77c": { "rule_name": "Docker Release File Creation", "sha256": "fcf46bfd3250345e843693606f5fb82feefdc1be32b6a5f2b0f4a2ba0f09777d", "type": "eql", - "version": 5 + "version": 4 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "33007e4af04655ed7b7d38d9aa4047437e04c7a32a683fb1d94d0c6f9c0126bc", "type": "threshold", - "version": 215 + "version": 214 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", "sha256": "15628d00707d5cb8162b39822a54eaefbaba7cacec4fe61de572319ea4b25767", "type": "eql", - "version": 112 + "version": 111 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "2547fbd8709d4cf9e8f4bd0048a897e98859ec4f7ab564261d6a52e38f94d2ef", "type": "eql", - "version": 321 + "version": 320 }, "4df91789-7859-4bc4-9c5a-6b56bfa81a8b": { "rule_name": "Kubernetes Service Account Token Created via TokenRequest API", "sha256": "0706a9e1eb235c20672104023108aba9b31558c357fbe714d749883acecfda4f", "type": "query", - "version": 2 + "version": 1 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "18af43592e9ea1cab61766146cc9e4060b3d000eea41d6ed6b5e839350b3e422", "type": "eql", - "version": 118 + "version": 117 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", "sha256": "3141b56172d9325f7e292f8848a1c32a7d10bbe33ba9a2d6876e5a8895c80063", "type": "eql", - "version": 116 + "version": 115 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "fee10156d1f4a3f29bc42acbf1ad6ee3ba381b251d656d9705905328d11f7503", "type": "new_terms", - "version": 320 + "version": 319 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Suspicious Script Object Execution", "sha256": "8b925f4de064a926ab17d2911e80bf6947d6e864da4aad5afcebc3491a482ecb", "type": "eql", - "version": 215 + "version": 214 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "rule_name": "Unauthorized Access to an Okta Application", "sha256": "86ae4800d9e3322d8946ef71eadb796219d883ca2d8b3772316c430eff73718e", "type": "query", - "version": 416 + "version": 415 }, "4f2654e4-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint Search for Sensitive Content", "sha256": "4bad672d48c22df5551ec3342e6f2c08bd9615a39c6c71edae46085f8673643c", "type": "eql", - "version": 3 + "version": 2 }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", "sha256": "991d514239a7588fb6359ef0829150e5fba13a68886bf02602eff1ce014b7a26", "type": "eql", - "version": 8 + "version": 7 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "rule_name": "Unusual High Confidence Content Filter Blocks Detected", - "sha256": "0049ba0ec56c95ad65db5e90c32b96b6524f6b46b3ec05aa89ff6eedbc0a0a36", + "sha256": "bbed7d005c3add1b1f91865e98385a1db6bab42d2c50a6f304be8f9987154da8", "type": "esql", - "version": 11 + "version": 9 }, "4f8f7c08-ffb5-443f-86c6-0884c964df7b": { "rule_name": "Kubernetes Admission Webhook Created or Modified", @@ -4211,97 +4199,97 @@ "rule_name": "Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource", "sha256": "d07ed0c823ebd2b302a39fbc13b2439306173a990c39383beb8bc13e3c30cf43", "type": "query", - "version": 2 + "version": 1 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", "sha256": "657a130aad7d1740532a346a2eb954f882688124f2deeef86f69ff060d2f4459", "type": "eql", - "version": 321 + "version": 320 }, "50742e15-c5ef-49c8-9a2d-31221d45af58": { "rule_name": "Okta Successful Login After Credential Attack", "sha256": "6dad6073685bd27507bd1019c4c661b33314e196d1df27fd1d6a4a26a3f6aa32", "type": "esql", - "version": 4 + "version": 3 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "9f970647e9f0660e49e6297139d0fac8dea160ad9a626410b76241e0e285dab4", "type": "threshold", - "version": 213 + "version": 212 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", "sha256": "38d2e2b85d115c468b86078187b4bf2e2692c83671f32a7800c8d87e8327865e", "type": "new_terms", - "version": 7 + "version": 6 }, "50eba7ec-d3f0-474c-a7f4-0906b68e350f": { "rule_name": "Suspicious SUID Binary Execution (Auditd Sequence)", "sha256": "ba5e9ec616ccbc315188f1f2b4bfae5ad1ebf11fba2f689c08b70842ebd5cada", "type": "eql", - "version": 2 + "version": 1 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "rule_name": "Windows System Information Discovery", "sha256": "3f5f4187427fe60250c06d4030358ca518b17592c87d264baef1d7091a731c6a", "type": "eql", - "version": 113 + "version": 112 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "rule_name": "Hidden Files and Directories via Hidden Flag", "sha256": "00a937a6551df200e27af0c95020a908bd832f721000e682fd65f512541cc2c4", "type": "eql", - "version": 109 + "version": 108 }, "5134be90-42c1-4ac7-859c-4d82caaddbec": { "rule_name": "Proxy Shell Execution via Busybox", "sha256": "79b4ea149f88a2ee4fc8326864cadcd00ea7b142318e7e9100ab5c90dd688825", "type": "eql", - "version": 2 + "version": 1 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", "sha256": "f08796645892a9fa8f7c3b67c11e0245ae79f43f1da29dc7f672653ebf69815b", "type": "eql", - "version": 419 + "version": 418 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "M365 Exchange DKIM Signing Configuration Disabled", "sha256": "859bc8f0ef5f23b602f35c59bea15f012d43ae8c80cebb03c3b3b94220e29cd1", "type": "query", - "version": 214 + "version": 213 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", "sha256": "511c2959e42c07c74fe71b4f3da197e85d2a1fb979e23918829861b69aa0bd04", "type": "query", - "version": 110 + "version": 109 }, "5188c68e-d3de-4e96-994d-9e242269446f": { "rule_name": "Service DACL Modification via sc.exe", "sha256": "7b9b5cddfe539d530a81415222048a2f5018ed718b45baabb26fda249de04fbd", "type": "eql", - "version": 210 + "version": 209 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", "sha256": "a5c34d9923fd2894a45428381962c575b3377bb30cf355c2869e5344a4e04175", "type": "query", - "version": 9 + "version": 8 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "ace765a7fa2fadc50f7138dafefb3a3ce111971e47f2a4bbe14a21d8a2d616c1", "type": "eql", - "version": 214 + "version": 213 }, "5202697c-313b-4bf0-9029-73fe78cd4b6d": { "rule_name": "EKS Authentication Configuration Modified", "sha256": "39befeda3be5d3566310a0757695d7624f95477d5cc37e279a2385c1b36607be", "type": "query", - "version": 2 + "version": 1 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected", @@ -4313,32 +4301,32 @@ "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "0a394ab67c395bcdc27b3ad12d450d8ce316d1f4bb5eb00b82dc41ce9e6713d7", "type": "query", - "version": 213 + "version": 212 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", "sha256": "db0a78fa15e70e7486162d61b6f30566133d52e6433e0e9d7dc42ffbf6eeae48", "type": "eql", - "version": 120 + "version": 119 }, "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": { "min_stack_version": "9.3", "rule_name": "Tool Installation Detected via Defend for Containers", "sha256": "06b375e493f4b41424c0ca40c75d93d51a0530eaa4a352ee6d7853d70b04a0d3", "type": "eql", - "version": 5 + "version": 4 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", "sha256": "29634fdc3cfdb91140f35c87f79547edac1b9e106807a8cc21d7ee6b51912e87", "type": "eql", - "version": 5 + "version": 4 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "cde1e6487ebcc56f9050150c0378e2da7deff62ad47b9dab28c2794674535116", "type": "eql", - "version": 215 + "version": 214 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "9.4", @@ -4354,7 +4342,7 @@ "rule_name": "Unusual Linux Network Activity", "sha256": "c3933dcb86a4f1abdb07a73739d56f6fd50701e0ce42c766af4402e47f547ba6", "type": "machine_learning", - "version": 209 + "version": 208 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -4372,25 +4360,25 @@ "rule_name": "Suspicious CronTab Creation or Modification", "sha256": "06aa18b798246b990e22baa71af8b598ed63603682333c4694537075d56ce774", "type": "eql", - "version": 113 + "version": 112 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "9cf2ba4a67c472e0406c42262df0bb6ccddb11451ddcf29de0d5985842a08f96", "type": "new_terms", - "version": 16 + "version": 15 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System Deleted", "sha256": "8cf6dfd14e01e720347865eb598fe80c73084a718b4f5703b63d214db4d68052", "type": "query", - "version": 213 + "version": 212 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deleted", "sha256": "7ca60ba6ad3527a0ae4294e9191284da98a6981a9abccf9356442eafe415f24e", "type": "new_terms", - "version": 110 + "version": 109 }, "5378a829-30c2-435a-a0f2-e3d794bd6f80": { "min_stack_version": "9.4", @@ -4406,92 +4394,85 @@ "rule_name": "Rare GCP Audit Failure Event Code", "sha256": "c5481b8a55bd8c39a4b9d76e1630bd8329b9339cb43e40347317861244b7db02", "type": "machine_learning", - "version": 102 + "version": 101 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "rule_name": "Statistical Model Detected C2 Beaconing Activity", "sha256": "13ca397ec6553f6c993d68c532077536be213be3dee894a2609b0aaea9eade5e", "type": "query", - "version": 11 + "version": 10 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", "sha256": "792ed5fc6b0a36233bde6b5f3b81cb38c17352d64cb05bf7695a121087c373c2", "type": "eql", - "version": 320 + "version": 319 }, "53dedd83-1be7-430f-8026-363256395c8b": { "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "c082e3ac3a00dc4956ce3e96ea4ec33d0e3d82e54b0ccacc0ecbdcaea938c347", "type": "eql", - "version": 111 + "version": 110 }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", "sha256": "cd48b0f1d4115b1444172db9c6f59b8c60c75583bf5c511ba0df9ea374aa84f5", "type": "eql", - "version": 8 + "version": 7 }, "54214c47-be7c-4f6b-8ef2-78832f9f8f42": { "rule_name": "Network Connection to OAST Domain via Script Interpreter", "sha256": "1203b6747b51b4832b4ebefe2903731584e77306aacc9f20d75fbf1cf7d1c66e", "type": "eql", - "version": 3 + "version": 2 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", "sha256": "04bf11d21b2237ee52b0b88167f0cfa4fc196dde2f4fbfda8b651395b6ef1329", "type": "eql", - "version": 218 + "version": 217 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "bb8801610e32224071dc341162073ded5df413ddf4c2cdcfb9b7e8442242b149", "type": "query", - "version": 216 + "version": 215 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", "sha256": "3cff6043bb08ad2cb24e8d37adc43a86a8670e3e4d63ab64da8590469e6d827d", "type": "eql", - "version": 220 + "version": 219 }, "55a372b9-f5b6-4069-a089-8637c00609a2": { "rule_name": "First-Time FortiGate Administrator Login", - "sha256": "c4fb1ff8ed2ffd5c051d400afa6f897da4a8354945f80a90f239233f10dc7f44", + "sha256": "dc6756e17a5caafb08cff75318b119554d594cf173231c99c746ca29d50d8d3c", "type": "esql", - "version": 6 - }, - "55be0398-e72d-4c02-a916-b11d62af0e29": { - "min_stack_version": "9.3", - "rule_name": "Uncommon DNS Request via Bun or Node.js", - "sha256": "d5c86e334453982f60b35cdb51cdd80067955f1c940ee53cdfb95c6fdb710904", - "type": "new_terms", - "version": 1 + "version": 4 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "b5649c8ab6926d99ffe7da8140bf8d357b61e8cee079d84f7e6f83ec3b98d852", "type": "eql", - "version": 219 + "version": 218 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", "sha256": "af8f8b17e077e18ee55fe944de4a17281aedb7f00d55333d69560c44623fcfd7", "type": "eql", - "version": 215 + "version": 214 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "rule_name": "Windows Installer with Suspicious Properties", "sha256": "a8fdb430eef1c2a8a281cadce30763cc48c12db7cd45cafcc018d558cac60d8d", "type": "eql", - "version": 5 + "version": 4 }, "55f711c1-6b4d-4787-930d-c9317a885adf": { "rule_name": "Suspicious Execution with NodeJS", "sha256": "afa591418c578bdd961e701d31a05f0a953c1cd95151b2aef63107e7e00a5fe0", "type": "eql", - "version": 5 + "version": 4 }, "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "9.4", @@ -4507,61 +4488,61 @@ "rule_name": "Unusual Process Spawned by a Host", "sha256": "d1bc1e43d67b87351b3a10c4bd73b589d019f0eb8f4519a5fdd013f9c57732a8", "type": "machine_learning", - "version": 211 + "version": 210 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "9bc6208af462e05208a3ba998898d18819968882805d9c738507807be1b330c2", "type": "eql", - "version": 211 + "version": 210 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "8cf3c09ba2db0c7300a67369106a28725e2c5cc57e9c57d8cf14fe64d7a8c303", "type": "query", - "version": 213 + "version": 212 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", "sha256": "87db461459ea0a1c445b59dfa9d8e7368c2afc905f30243a589b82af51f8515d", "type": "eql", - "version": 212 + "version": 211 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", "sha256": "e402572e5dc8c2c7305905227898b75e4d1a151ec425b3c8b433e5816cd325d4", "type": "eql", - "version": 113 + "version": 112 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", "sha256": "a41c9b731116a7c1e1a6c3aa9f43347ea30abb1eea8076c45c74804e6b07a048", "type": "query", - "version": 110 + "version": 109 }, "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": { "rule_name": "Windows Sandbox with Sensitive Configuration", "sha256": "cb4b6f0adb8773383e682fe16570cbca4179d222ed197d04b3d89fa29926d486", "type": "eql", - "version": 5 + "version": 4 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", "sha256": "3a6e599f9d4af81d7cd9eabc89715d727103b98f4323896df81d7d3cc2fe6f74", "type": "query", - "version": 319 + "version": 318 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", "sha256": "98a1bb00cc5109dfee42a633f855fff9346d0648551bebc3d0863b1561b49aa2", "type": "new_terms", - "version": 110 + "version": 109 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "5df33e1e630173c386e4532fe8fccafa945c531cdaad3bf9f65a20605287464b", "type": "query", - "version": 112 + "version": 111 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", @@ -4579,55 +4560,55 @@ "rule_name": "AWS Credentials Searched For Inside A Container", "sha256": "b09e2c974cc1d80c0c75f3799dc517a1ba657bb18f02243743e329247980db61", "type": "eql", - "version": 5 + "version": 4 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", "sha256": "5c5ee438716479240dd176d2f4b269ac7093f03e6ceffde51b86912f8b8d4ee2", "type": "query", - "version": 215 + "version": 214 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "4944bbed621deeb513b94814d78fab8b15895a6fbf5a4b3c12e69c50f5a82be6", "type": "eql", - "version": 110 + "version": 109 }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "rule_name": "DNS Global Query Block List Modified or Disabled", "sha256": "971eb40543306c60de5695b0c5c5323b2de381b23f1e442ce30cb39d29eb2c97", "type": "eql", - "version": 212 + "version": 211 }, "57e118c1-19eb-4c20-93a6-8a6c30a5b48b": { "rule_name": "Remote GitHub Actions Runner Registration", "sha256": "8da226b40be571223b8382299f5497f08742a417a0afe756e9005488a6a3604a", "type": "eql", - "version": 4 + "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Backup Deletion with Wbadmin", "sha256": "ab7e97c915d3a23943a57f5610efdbf9dfa1c8b60f4a82155800f5eb754553dc", "type": "eql", - "version": 321 + "version": 320 }, "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": { "rule_name": "Unusual Web Config File Access", "sha256": "d0e52d0a9d67db8bc963869c1db6a15171b3f593e995b5a08bc6bde2194de611", "type": "new_terms", - "version": 5 + "version": 4 }, "5889760c-9858-4b4b-879c-e299df493295": { "rule_name": "Potential Okta Brute Force (Multi-Source)", "sha256": "cdac32489551a612c6bdd1002c5f9beb3f39e4e418574f5d004a7307b21e02c3", "type": "esql", - "version": 4 + "version": 3 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", "sha256": "80ca9aa2214417366e41ffd82cd9a7232496f7791e47f1fe0b600d0b8425bf40", "type": "eql", - "version": 318 + "version": 317 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -4639,37 +4620,37 @@ "rule_name": "Potential Lateral Tool Transfer via SMB Share", "sha256": "ac7bf2a46ba5a70e8f7adf24b3dff91fc99d215a6ead840ce7f034f27e013106", "type": "eql", - "version": 114 + "version": 113 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", "sha256": "4d86cd35f177a472f2469c620376892ff2965ae63188678ced96c35b2bfa11b3", "type": "eql", - "version": 117 + "version": 116 }, "590fc62d-7386-4c75-92b0-af4517018da1": { "rule_name": "Unusual Process Modifying GenAI Configuration File", "sha256": "4c8318ca5f58fb1f5df70040197b63e88f8b5f390e666cc85e3eac0c39129222", "type": "new_terms", - "version": 7 + "version": 6 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", "sha256": "7742b4d700c05a6edae94904b1648746b5b85845c114eb60cbfc8fb84972171f", "type": "eql", - "version": 8 + "version": 7 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish", "sha256": "52f073fe724020db891045530704a08c294fa95ee10247f3232467f93bd3fb85", "type": "query", - "version": 214 + "version": 213 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", "sha256": "820bd96ddd179512b9d5a0163bb9f14bab4331cc45be72aa7718ebace53c28c0", "type": "query", - "version": 215 + "version": 214 }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "9.4", @@ -4685,127 +4666,127 @@ "rule_name": "Unusual Linux User Discovery Activity", "sha256": "60849ad13847f09c4d9a8563601b9291916f289bea439f511a4171ec4a013351", "type": "machine_learning", - "version": 209 + "version": 208 }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", "sha256": "4ee4a4ce4a9ac868a787a8fcadc3d1b7655e2840e1b76969a14ac4571928d40a", "type": "new_terms", - "version": 10 + "version": 9 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "rule_name": "IPv4/IPv6 Forwarding Activity", "sha256": "d9cf4c038f53b5ebd1c30a304fb8870d6145d0785926200cf0374842c84220ff", "type": "eql", - "version": 109 + "version": 108 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "1f54949694e1a11f3a6cfb3b63ee8e578f5bf33cdb23bf40ea319d20845ff3d0", "type": "eql", - "version": 315 + "version": 314 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", "sha256": "c5e601c37a1f317b85f5d0a30462e149c962b83d62e9b3655509a65b1a4668d1", "type": "eql", - "version": 15 + "version": 14 }, "5a876e0d-d39a-49b9-8ad8-19c9b622203b": { "rule_name": "Command Line Obfuscation via Whitespace Padding", - "sha256": "4f8678e1a8482e9d680fbd05a4eb152a92d5e62b859d7d636ef207ace9a4c2a5", + "sha256": "1bf4f552f7599807a7e15afba35b168d0ca331e3b70e945506eb527d1e088934", "type": "esql", - "version": 6 + "version": 4 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", "sha256": "3570dec854c263de8cdebc1855ebfe5f7ab4526fc849b9e3a925eca865cdb5c7", "type": "eql", - "version": 7 + "version": 6 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "rule_name": "Potential Chroot Container Escape via Mount", "sha256": "8e98b708a9211e5d0ebef862842c54d085108d51b98842c091c5b26228dfa6ee", "type": "eql", - "version": 109 + "version": 108 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "633d6227e7b67c05c46dd509f2cd8d07f37e29fa580d76f692df49fea3e78ff7", "type": "eql", - "version": 112 + "version": 111 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "2cfbca1b129860895636735b8d15df004c74a582e3be5fc79d043ee9eb08bd50", "type": "eql", - "version": 315 + "version": 314 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", "sha256": "d3606ed659895f8c1cfdbff613629c196b862c209892b801f1b8370aaaf4277d", "type": "eql", - "version": 115 + "version": 114 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", "sha256": "600013f59808acf8e3fbcb916efe820a124db6b8d3605bf5fe031d1b729b358d", "type": "eql", - "version": 12 + "version": 11 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "rule_name": "Suspicious which Enumeration", "sha256": "dfef9c7a379453c311f0bfab1d39e33e823cd53ca0d1401b0c395667b781beb7", "type": "eql", - "version": 113 + "version": 112 }, "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": { "rule_name": "Successful SSH Authentication from Unusual User", "sha256": "7be56f4b8d28507b68d83d793cca3e982deab0387b8e00b6117aafe109cb2bc3", "type": "new_terms", - "version": 6 + "version": 5 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", "sha256": "4556a2b4d9ae5c0709537287d7c352c49fd07266ec3e249028df8c684d8e7bf2", "type": "eql", - "version": 10 + "version": 9 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation", "sha256": "8a47a48d97d6455444a465225652850ef188dd562e9f8c43f6fc8781a717f891", "type": "new_terms", - "version": 324 + "version": 323 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "rule_name": "Boot File Copy", "sha256": "9631f14860402dcf2e73a1613d08cf82bef87f7b793098b03b5ececfe9236c85", "type": "eql", - "version": 6 + "version": 5 }, "5bdad1d5-5001-4a13-ae99-fa8619500f1a": { "rule_name": "Base64 Decoded Payload Piped to Interpreter", "sha256": "027fc040e1e9e549efb1038c541a0965a6a625c7cfa7ac595dfc9747ffca5b09", "type": "eql", - "version": 8 + "version": 7 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "7e201a9f630b65ea3703f55383653c8c701324ea8334853c13efb45ddd45bb79", "type": "query", - "version": 213 + "version": 212 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", "sha256": "958cb09fe0453597f345b91d73f1f8cf88e769e76285da2a9029817841f976b0", "type": "eql", - "version": 10 + "version": 9 }, "5c495612-9992-49a7-afe3-0f647671fb60": { "rule_name": "Successful SSH Authentication from Unusual IP Address", "sha256": "1131f0ba1299b1673272bd63bc99e020893f13a54959cc573c19f06e3c6d27c0", "type": "new_terms", - "version": 6 + "version": 5 }, "5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", @@ -4817,31 +4798,31 @@ "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "4ab3780669514a3c38d185828e425d62f8005baf7e564cfe108f7922d0d02d72", "type": "query", - "version": 109 + "version": 108 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "rule_name": "First Time Seen Account Performing DCSync", "sha256": "6efcf236f3f9c9963fb10ebd45d9b9de86581067dc5b3515bab1cdc720278271", "type": "new_terms", - "version": 120 + "version": 119 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", "sha256": "6ae08cb11476bde01a0bc5e23c18dbeb3c64c7f9f56cadc416776d004a3f3938", "type": "query", - "version": 5 + "version": 4 }, "5c832156-5785-4c9c-a2e7-0d80d2ba3daa": { "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", "sha256": "f60eb9f78e9b31ecc263168312144052efe7d3d67430d9e8e4bc68396f433f20", "type": "eql", - "version": 107 + "version": 106 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", "sha256": "499e822266c7a93e65eed7dd53f2d4762b9ede773ae711da386d2dd215831704", "type": "eql", - "version": 13 + "version": 12 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "9.4", @@ -4857,86 +4838,86 @@ "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "e6d2c1bb66e9d94d5a0fc9e25fe3d8dd9a75eb35f100ed631a3df105e5748711", "type": "machine_learning", - "version": 208 + "version": 207 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "rule_name": "Potential Defense Evasion via PRoot", "sha256": "e1ae2e1cbed489a77754e6fab8a50f37f6de818e6fa2ca20d8096664e8add36c", "type": "eql", - "version": 113 + "version": 112 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "26553adf03310ab42539ce968440da4d62fc1fd18788e3d2f13aab321c9255db", "type": "eql", - "version": 216 + "version": 215 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", "sha256": "f804eba2756db8092e43ff3affebdb403dbdc631098bebd3cdaf6ba3829b043e", "type": "eql", - "version": 218 + "version": 217 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "rule_name": "Persistence via PowerShell profile", "sha256": "bc50204842263093d6d6ad331922bf865f62b4a06b43ef3f9321955c32ad22ea", "type": "eql", - "version": 216 + "version": 215 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", "sha256": "e818c9edc963124f3fe4b690ac99f23981b4899d2ec0bbbffbb93c5590b8756b", "type": "eql", - "version": 113 + "version": 112 }, "5d1c962d-5d2a-48d4-bdcf-e980e3914947": { "min_stack_version": "9.3", "rule_name": "Forbidden Direct Interactive Kubernetes API Request", "sha256": "d27959c1650287e616fb7b235e828792e56a049f59244ffc1d56ad66b4b99d32", "type": "eql", - "version": 4 + "version": 3 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "c06d312788de6b526b2eda5008ba2de688020524b0142b2a077d564b7141a2e8", "type": "eql", - "version": 217 + "version": 216 }, "5d676480-9655-4507-adc6-4eec311efff8": { "rule_name": "Unsigned DLL loaded by DNS Service", "sha256": "ce96526f1173cee77a4a1a49988e5b43cac66b19bc7f0e268d904961da06ddc3", "type": "eql", - "version": 109 + "version": 108 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", "sha256": "7a9ce14eef48ed766c137dbe638528f60bbfd889852e3b0e0251ed30b6ed4b98", "type": "eql", - "version": 113 + "version": 112 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "048a359ddaed92e5d025d84b05ee14e0aeb65e3c2f980eefac7cd3196a48085b", "type": "query", - "version": 112 + "version": 111 }, "5e23495f-09e2-4484-8235-bdb150d698c9": { "rule_name": "Potential CVE-2025-33053 Exploitation", "sha256": "2b8137ee0622fa13bc6ca0d3bfa15b56f7274e8b11ddf245d4adb0d4dcc22a53", "type": "eql", - "version": 5 + "version": 4 }, "5e4023e7-6357-4061-ae1c-9df33e78c674": { "rule_name": "Memory Swap Modification", "sha256": "84ab5ac7a9d4da0254311ffb718735490af81e6cb6c191ead1f08277e7a520e9", "type": "eql", - "version": 109 + "version": 108 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Deprecated - M365 Teams Guest Access Enabled", "sha256": "266a162de1fb161531696272816f4b94596b9e60e70a673859f3162efb4333e6", "type": "query", - "version": 215 + "version": 214 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -4958,109 +4939,109 @@ "rule_name": "Unusual Process Detected for Privileged Commands by a User", "sha256": "5ec3183a9be36f68aded429224d36cce68ddfb8a955fcc82adb868c3880f0b8c", "type": "machine_learning", - "version": 105 + "version": 104 }, "5f0234fd-7f21-42af-8391-511d5fd11d5c": { "rule_name": "AWS S3 Bucket Enumeration or Brute Force", "sha256": "b03598902c032a90bd8c08caf8f74055975dd2b075bd845d15f0d4093459f506", "type": "threshold", - "version": 10 + "version": 9 }, "5f0fff18-f340-444b-9a98-c49ade766ff4": { "rule_name": "Kubernetes and Cloud Credential Path Access via Process Arguments", "sha256": "04635b1ebb2304ae1b43367de6032f6441c7f291dbc720cecb740ef3c2560809", "type": "query", - "version": 2 + "version": 1 }, "5f2f463e-6997-478c-8405-fb41cc283281": { "rule_name": "Potential File Download via a Headless Browser", "sha256": "243733569b61c9258414f81794aa80af97b0ce2a578f54cb1fc3eb3b6ffc5deb", "type": "eql", - "version": 210 + "version": 209 }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Potential Docker Escape via Nsenter", "sha256": "9b1fac0383ed7d24fc3004e580cec7bd3f701dee9659155fe2a61132c4c6280e", "type": "eql", - "version": 6 + "version": 5 }, "5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": { "rule_name": "NetSupport Manager Execution from an Unusual Path", "sha256": "f49bf2a2ea1c32cc3ab338dd4e8f8b582091b3afe242ad98d6e048aed2256252", "type": "eql", - "version": 4 + "version": 3 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Compute VM Command Executed", "sha256": "8adae74085d1b365f947e33813e55390fedd6e9a18b0a155e3bc3ca16f8b6bb3", "type": "query", - "version": 109 + "version": 108 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Entra ID Service Principal Created", "sha256": "53b3bb3ed81272c5cd748118879a25c793a01b0a8bad0cf6cf57a42745b3ba2b", "type": "query", - "version": 111 + "version": 110 }, "60c814fc-7d06-11f0-b326-f661ea17fbcd": { "rule_name": "M365 Threat Intelligence Signal", "sha256": "c39e4b442c100c558bad0866d26a3af772db700ab66c684e39f81c52511c464e", "type": "query", - "version": 5 + "version": 4 }, "60da1bd7-c0b9-4ba2-b487-50a672274c04": { "rule_name": "Discovery Command Output Written to Suspicious File", "sha256": "272a08b491e9e0ed926f59f6e233f7e3a98e77d56dc61ce20e65ccc863a87d4e", "type": "eql", - "version": 3 + "version": 2 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Deprecated - M365 Exchange DLP Policy Deleted", "sha256": "b61525284954c4fc0497d4722706527fd82f0c909a0d9d5d8436eb4eb64c73eb", "type": "query", - "version": 215 + "version": 214 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", "sha256": "20c0a63a1c617c1d92a564858fc23ec78f1cd2737c5ea492135d8d6d73d6cf20", "type": "eql", - "version": 214 + "version": 213 }, "61336fe6-c043-4743-ab6e-41292f439603": { "rule_name": "New User Added To GitHub Organization", "sha256": "20989b28438ebb27b577cc7e27b4a8fddb5f0e786199089dbf791275399a39f7", "type": "eql", - "version": 208 + "version": 207 }, "616b8d00-05f8-11f1-8f33-f661ea17fbce": { "rule_name": "Entra ID Service Principal Federated Credential Authentication by Unusual Client", "sha256": "b8a0677840e2ac54c009dfc71b670853c992e15ab05a71bbbeed68c4b46d35e3", "type": "new_terms", - "version": 4 + "version": 3 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "rule_name": "Interactive Logon by an Unusual Process", "sha256": "2a25d4c5aad531f8baec6e0f8a8a24a0fd3f1244408d9bddbf8d27fd796a2cd9", "type": "eql", - "version": 110 + "version": 109 }, "618a219d-a363-4ab1-ba30-870d7c22facd": { "rule_name": "FortiGate FortiCloud SSO Login from Unusual Source", "sha256": "1633c7aa0014d0a78d937ad7c074f29e3aae5b3ddaf38ce799a5141b9cdebaec", "type": "esql", - "version": 5 + "version": 4 }, "618bb351-00f0-467b-8956-8cace8b81f07": { "rule_name": "AWS S3 Bucket Policy Added to Allow Public Access", "sha256": "3add80c1e8b09bdfcf8f584070eca230034c9b21f79833ba3fe4693e6f61f11c", "type": "eql", - "version": 4 + "version": 3 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "be24ceae2afa9baef47813fd03666ea34a8f4036452bf224e709f3f059656acb", "type": "query", - "version": 321 + "version": 320 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -5072,31 +5053,31 @@ "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "898d586695a755ed54cf089cb8a62fce3c122615f91824a319f0bc896b29a1fc", "type": "eql", - "version": 220 + "version": 219 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "e0477a60892cad9da6b82baf80a54de4df04b8f72415f9f443b405c02849bc35", "type": "threshold", - "version": 212 + "version": 211 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "277bd1c15f356f6fe781c3b6e303d8cc742ef862f2dfbee02ad935fe105a085b", "type": "eql", - "version": 213 + "version": 212 }, "627374ab-7080-4e4d-8316-bef1122444af": { "rule_name": "Private Key Searching Activity", "sha256": "79f110a532df654130e63c8b81f83d83d968d2789069f0c82d5fc5cd50e602da", "type": "eql", - "version": 108 + "version": 107 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "rule_name": "Account Configured with Never-Expiring Password", "sha256": "9b330c0df477e18fc4f7752d72e5b9bd2518f96989dc84c247943246459ff92c", "type": "eql", - "version": 218 + "version": 217 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection", @@ -5108,73 +5089,73 @@ "rule_name": "Persistence via Suspicious Launch Agent or Launch Daemon", "sha256": "e96f8422546d427d174b67e32e22f9f294338e62a32b312144be86d8f54cbf31", "type": "eql", - "version": 2 + "version": 1 }, "63153282-12da-415f-bad8-c60c9b36cbe3": { "rule_name": "Process Backgrounded by Unusual Parent", "sha256": "030fd3f59aba85e33e9013260fe60ecd2b7e4e805aece285791cb170737d59d9", "type": "new_terms", - "version": 6 + "version": 5 }, "632906c6-ba8f-44c0-8386-ec0bbc8518bf": { "rule_name": "M365 SharePoint Site Sharing Policy Weakened", - "sha256": "76bf9d181f4bf2c94377009c32dae09ae0ad9eab96bbc371a6e0972cd061b909", + "sha256": "df946fcbb376eb3a51b2e8299075494cccd95d5229b4b956537d4f162ce80731", "type": "query", - "version": 5 + "version": 3 }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by Suspicious SSHD Child Process", "sha256": "3b0351c806161fe08412397624b92f4f969afffbb96b21e055a0631d33614a4f", "type": "eql", - "version": 10 + "version": 9 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", "sha256": "e6322acdcf8bfdea43c886c81f1d74c7982802542e500006806f52c422a951b3", "type": "query", - "version": 13 + "version": 12 }, "63c056a0-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent", "sha256": "7de86c2aa0f76814053d0f5818bc392c8c2e59db281f8891357f87d0057dfc26", "type": "new_terms", - "version": 13 + "version": 12 }, "63c057cc-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent", "sha256": "298014d2796245f46bde784ce5a8c9a9bd75184e6d80bab634ae84b03fa3710c", "type": "new_terms", - "version": 14 + "version": 13 }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", "sha256": "4fba1a906dc24aa562d7f26cec26c9dcda0607ed266e8b587cfddf5a6f683d29", "type": "eql", - "version": 8 + "version": 7 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", "sha256": "ba4096f48f3a66bf6278a94d26beb5dd78a438641db6fc511bf73d79bbe9986d", "type": "eql", - "version": 214 + "version": 213 }, "640f0535-f784-4010-b999-39db99d2daeb": { "rule_name": "Potential Git CVE-2025-48384 Exploitation", "sha256": "96a8f21a03b2eacdcb3c26f34ea7073e5fb7b7804eab2e552278f4b9a8524d75", "type": "eql", - "version": 3 + "version": 2 }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation", "sha256": "a3ad27a4e1aba1d93a8fcff149f1e5ae7d0563416aa19c3e8221f2661ddface0", "type": "eql", - "version": 10 + "version": 9 }, "642ce354-4252-4d43-80c9-6603f16571c1": { "rule_name": "System Public IP Discovery via DNS Query", "sha256": "bef682517bba6454fba3806195c56aa37a003760553409c96e4ac565bcbe7b7e", "type": "eql", - "version": 5 + "version": 4 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "9.4", @@ -5190,31 +5171,31 @@ "rule_name": "Anomalous Process For a Linux Population", "sha256": "cfbfe676b63f196bd4399206148f3a8920d108155f2abfa3c4bf59600cb422e0", "type": "machine_learning", - "version": 208 + "version": 207 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", "sha256": "c6de97f12a7345d14030b631a6baa062804944e85c22ece163742abc536d4b59", "type": "eql", - "version": 113 + "version": 112 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", "sha256": "7a4ee8a9aed27286d48b832645557e5b2b3be000c4b6d33e49f64977508ff9da", "type": "eql", - "version": 13 + "version": 12 }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", "sha256": "db724e0530dad97417c3737f077e737a1dfdf44b5ae1d4621f68d2fba0a4c75d", "type": "esql", - "version": 13 + "version": 12 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", "sha256": "cc3d4c8b00317668d507150f4b0441132efe96a271f0e24182e1cf439f2bb036", "type": "eql", - "version": 5 + "version": 4 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -5226,68 +5207,68 @@ "rule_name": "MsiExec Service Child Process With Network Connection", "sha256": "d8cda461562a61f7ce64ed7629a070991b408f4432d740fc350a331768e162f6", "type": "eql", - "version": 207 + "version": 206 }, "65613f5e-0d48-4b55-ad61-2fb9567cb1ad": { "rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments", "sha256": "0d9923c694d6f9e84a63f6978e5c542e08285a98fca12980503e9b9e6e4e7909", "type": "new_terms", - "version": 6 + "version": 5 }, "656739a8-2786-402b-8ee1-22e0762b63ba": { "rule_name": "Unusual Execution from Kernel Thread (kthreadd) Parent", "sha256": "b755ed320d3960e63c0cc92dbb2de8e1a6292117110a7f2412799824e5118874", "type": "new_terms", - "version": 5 + "version": 4 }, "65f28c4d-cfc8-4847-9cca-f2fb1e319151": { "rule_name": "Unusual Web Server Command Execution", "sha256": "3d0ea0342f221d21119aee57a595095918d0fd86ad7f58cee311309b90fd0800", "type": "new_terms", - "version": 4 + "version": 3 }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", "sha256": "b25056edc655b86fef84b34e0ac3641910735b515a07aedaa5f68db48b4f6937", "type": "query", - "version": 210 + "version": 209 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", "sha256": "7596d477c75194501eab55a1d56dbc23f408e9b52f0d6e9477fa3caf989cd8e1", "type": "eql", - "version": 113 + "version": 112 }, "66229f32-c460-410d-bc37-4b32322cd4bb": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Read Detected via Defend for Containers", "sha256": "42652c071cbc82b5d5b670ff8b27255c0e0da12b974caa887303d2f29b94ed4f", "type": "eql", - "version": 4 + "version": 3 }, "6631a759-4559-4c33-a392-13f146c8bcc4": { "rule_name": "Potential Spike in Web Server Error Logs", - "sha256": "b082f83d649d990b2719c8e46afbbbcf304481131b23472dd3d3b9257a6efbc4", + "sha256": "e61b3bdfbbae99ac498171b194cea724b8e328dca23b9288ceda1d39ac1355d0", "type": "esql", - "version": 6 + "version": 4 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", "sha256": "a7ac6a2e16d97312a1f7e3689e445d816e61c1b2556bd4fc7d7a784553b57be0", "type": "eql", - "version": 13 + "version": 12 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "c8b7ed1cedb954e68d572f77deae21770e0c4204727df0625f6c6f1e66411a6b", "type": "new_terms", - "version": 211 + "version": 210 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "rule_name": "WebServer Access Logs Deleted", "sha256": "46b302e1052795242c5c6996364c7327c196bff092c53ab16033cb472970e7a3", "type": "eql", - "version": 212 + "version": 211 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected", @@ -5299,49 +5280,49 @@ "rule_name": "Connection to Commonly Abused Web Services", "sha256": "04483092ea7111ceb52a82ec96688eb7a5720d3ed3caf36c7e6e078b4713255c", "type": "eql", - "version": 132 + "version": 131 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", "sha256": "766af4a5b4b8dee8f8ef9498c1f216ad14f6f4755a93fd323998698d1ea1eb05", "type": "eql", - "version": 109 + "version": 108 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "d28d8e99ade43dc293d5e70aad016fc90f10ddea11625285e1adadf2fbd75457", "type": "eql", - "version": 214 + "version": 213 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "a70d87036505f114e41a399e3573e388e43a05046ff89eea597353a7778de895", "type": "query", - "version": 121 + "version": 120 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", "sha256": "f71ab483864d71a48cf0507edbbd3dff6d995b6508879227e0b7e250970c8097", "type": "query", - "version": 416 + "version": 415 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "M365 Exchange Mailbox Audit Logging Bypass Added", "sha256": "9e19b7471a462cb1508940d24058f3413af1a9726f051383aea06f04e4d56d76", "type": "query", - "version": 214 + "version": 213 }, "6756ee27-9152-479b-9b73-54b5bbda301c": { "rule_name": "Rare Connection to WebDAV Target", - "sha256": "f80cef785da616c90f873bd095a5ccb06bceb99db19e6f824838be0b7a98c066", + "sha256": "92dc23143cbc051ac463e1539ef050749a186cdfe3109f3ac86c9460ddd6f70b", "type": "esql", - "version": 10 + "version": 8 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", "sha256": "e6ecd90c1ffa19eca2a67af1b6c71e975b28190e2c7f1f5c14e41903155bbe1b", "type": "query", - "version": 415 + "version": 414 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -5353,7 +5334,7 @@ "rule_name": "High Number of Process Terminations", "sha256": "d4b68db35dd8a14409e6834fd97cc1e2a3b99967615f1f2270ae10e6d04dc2b3", "type": "threshold", - "version": 119 + "version": 118 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -5365,85 +5346,85 @@ "rule_name": "Image File Execution Options Injection", "sha256": "4abbdf2842ee1bcb6bdcb3f3b63039758c8b7295afb207b98f0304bc9077d56b", "type": "eql", - "version": 316 + "version": 315 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "M365 Exchange Federated Domain Created or Modified", "sha256": "ff4eb2e457d5e3ebe7454a8eb3478eb11c7a177531c3ddd4ab3336c25709cc38", "type": "query", - "version": 215 + "version": 214 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "944fb024ccefc8bb13bca9d85069633c0bd5b285d5b4e1fc8045e2bc1b44d5b1", "type": "query", - "version": 414 + "version": 413 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "9beba421bcfa504de24c2c44258d0fef5a2d5ba3711c7cc49e6b76ee0e0fdecb", "type": "eql", - "version": 319 + "version": 318 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "beb7c099e4c87d3147444605e39e6fb2a85af130454c62d43ae6eba5307ce395", "type": "query", - "version": 212 + "version": 211 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "f7eb5ecf08a0a74de530a080fd2441011bc3c38249a554220b2e2d15494fb386", "type": "eql", - "version": 213 + "version": 212 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "ca809a6bd6c5e473da5a47132318262a0953bf2a6bf09e1a3bcf772bcdea2d77", "type": "query", - "version": 216 + "version": 215 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "f279475dc730bc14f2dfd1ac9bc7084af731d369aaac73cf5fc818804da8e062", "type": "eql", - "version": 111 + "version": 110 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", "sha256": "ad69aa058d530466a81bf883cda42a241f9ad8a415e5291d1aea004a51787720", "type": "query", - "version": 4 + "version": 3 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "c65e804191ff9e8784d38dcbad208bc9015d005343b4073fa0671575a942d4fb", "type": "eql", - "version": 216 + "version": 215 }, "68e90a9b-0eab-425e-be3b-902b0cd1fe9c": { "rule_name": "Suspicious Path Mounted", "sha256": "c0ba7548cc496aae440498c2f64657c17215d4d8c1fc31821b516a0e55804eb3", "type": "eql", - "version": 4 + "version": 3 }, "6926b708-7964-425f-bed8-6e006379df08": { "rule_name": "FortiGate SOCKS Traffic from an Unusual Process", "sha256": "d649b848c5586e36017ccecc790367c99ca06795b3a429e69b524a3653d2bd55", "type": "eql", - "version": 4 + "version": 3 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "sha256": "746b43837e7ae358433e6c7a94c73a422528fb56a1902ab5a8be4999867587d0", "type": "query", - "version": 114 + "version": 113 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "rule_name": "AWS IAM User Created Access Keys For Another User", "sha256": "a9bc6c80faa8050ae1541d7eee9897b8fbdb2612cca00069af0033e33a4817b1", "type": "esql", - "version": 14 + "version": 13 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -5455,79 +5436,79 @@ "rule_name": "Suspicious rc.local Error Message", "sha256": "9454ca1b21ce6bfe21d078e24b4f7889fa8857ff6d3aee43af4c4ffae0519891", "type": "query", - "version": 9 + "version": 8 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", "sha256": "afc10ab90f42c4075c81973e33977dfced66e7b5da2b5a85c40e181edfa63058", "type": "eql", - "version": 317 + "version": 316 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS Sign-In Root Password Recovery Requested", "sha256": "7b5ac4f195b8c0bbcc320b3d13f89fa4e87ebc1dda5d046a05b109076ae52048", "type": "query", - "version": 214 + "version": 213 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { "rule_name": "Attempt to Disable Auditd Service", "sha256": "b5bf8c334323c23629142910af291aa50391c82eed1b8a9f7c51e8d40d09d95d", "type": "eql", - "version": 107 + "version": 106 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "AWS EC2 AMI Shared with Another Account", "sha256": "38688952422703a3d3b321bdf3df09ef1d9a20fe5477a4b7a6bead6e6c13dcd7", "type": "query", - "version": 8 + "version": 7 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "f7c6d6964c3063f4a75d0ad2dd294083ed44eb61f6393e97482687d8b587d708", "type": "eql", - "version": 316 + "version": 315 }, "6aa52f86-18f1-4a5a-a0ac-e2b5db8af589": { "rule_name": "Potential Direct Kubelet Access via Process Arguments", "sha256": "a480ab08bb68a023f154a81f536831c446fe45a8dd9c246b4a34c4b93b247cee", "type": "eql", - "version": 2 + "version": 1 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "0e421040f2de589edbc8b55db8ee6a3865f670eccc1b4c5e9cc39c27d5b2e377", "type": "eql", - "version": 424 + "version": 423 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", "sha256": "59a05181f1febc098b481acbd5cbd5725a57456d619a875909a207d3929c2b9c", "type": "eql", - "version": 114 + "version": 113 }, "6b341d03-1d63-41ac-841a-2009c86959ca": { "rule_name": "Potential Port Scanning Activity from Compromised Host", - "sha256": "a4aaa9d6a5944e7bb4d4c2a5c13debc65b09498364ee5686a268ca9e8e0bf614", + "sha256": "e113a73efc518c41b6df6bd67190ab672c30b13dbda77e7e3445ed9d8e54c13f", "type": "esql", - "version": 14 + "version": 12 }, "6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": { "rule_name": "Suspicious Curl to Google App Script Endpoint", "sha256": "25885ed63993320aa591be8ec7247e8cc1829c062e58638919cafebcf46b1d04", "type": "eql", - "version": 3 + "version": 2 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", "sha256": "114363c64adeb62c874af776f1d85c2e2b724262ed90f24a9d2862a2e5889496", "type": "new_terms", - "version": 216 + "version": 215 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "a1618bf40a3d1b476d391bef6a7af40d100c0da42d801e1e12dcdd09bf86fe7e", "type": "eql", - "version": 216 + "version": 215 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { "min_stack_version": "9.3", @@ -5543,25 +5524,25 @@ "rule_name": "Container Management Utility Execution Detected via Defend for Containers", "sha256": "914c8911ec926b779845b78a8a67ea55b68742b53eeed37aeece8e781654f707", "type": "eql", - "version": 106 + "version": 105 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "413515468916ea9977f82c881044a80545cce0cb54435a0b57493530e91809a5", "type": "eql", - "version": 315 + "version": 314 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "rule_name": "GitHub Repo Created", "sha256": "53e7e459aac5ef6a3b6aa399a0afefb7b4ec4727ffc73d731a6b4344b0b83431", "type": "eql", - "version": 208 + "version": 207 }, "6cf17149-a8e3-44ec-9ec9-fdc8535547a1": { "rule_name": "Suspicious Outlook Child Process", "sha256": "24294021daf4daac36d25201ce441fdef000f6859d77838c88d1b4c620d1c902", "type": "eql", - "version": 6 + "version": 5 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "9.4", @@ -5577,43 +5558,43 @@ "rule_name": "Unusual Process For a Windows Host", "sha256": "9342a3ec46ad8d944851a0ed0e81e1916668c1c67eb353a745fdabb4ddd0d70e", "type": "machine_learning", - "version": 317 + "version": 316 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", "sha256": "52515d5e9039aa01279cbaea65ab4da9d7718f306506f0a16edabfcb918a1a7d", "type": "eql", - "version": 10 + "version": 9 }, "6da6f80f-fe41-4814-8010-453e6164bd40": { "rule_name": "Suspicious Curl from macOS Application", "sha256": "3b2cab38c63f83f8b75a1a46cc2952021ecb6c26c6c258ef2158796eb2b26a89", "type": "eql", - "version": 3 + "version": 2 }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", "sha256": "eff0f62ddd3e0af974bfb14ab0530dd3f3a2a50d19bb8323fca26a786c9f7542", "type": "esql", - "version": 13 + "version": 12 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", "sha256": "0f941a4eec0eae5e8eafaea7a2a635dfc143067d98587953b98d26e0c1e891cd", "type": "eql", - "version": 107 + "version": 106 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "rule_name": "First Time Seen Remote Monitoring and Management Tool", "sha256": "9ec7d753b697c54652c65201dc1dcd09e6fdc59686ea6113b73fc595265689fb", "type": "new_terms", - "version": 118 + "version": 117 }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", "sha256": "dfa88fafc1898a28d3c0b60e028940c7c8bf94c78ffec613d0a7fb9d99618482", "type": "eql", - "version": 7 + "version": 6 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "9.4", @@ -5629,31 +5610,31 @@ "rule_name": "Anomalous Process For a Windows Population", "sha256": "1e7c0617e681eb446d4f478862986e4d1a36fd313f0832c4b7a9a09033adb6d9", "type": "machine_learning", - "version": 312 + "version": 311 }, "6e4f6446-67ca-11f0-a148-f661ea17fbcd": { "rule_name": "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)", "sha256": "305c77756be1aa3ebef6c4519ccf07b2c84119e59377b3bba5a957090f6843c9", "type": "query", - "version": 2 + "version": 1 }, "6e5189c4-d3a5-4114-8cb3-bd3a65713f19": { "rule_name": "System and Network Configuration Check", "sha256": "362706edae4c15e704ffd619c77917cdbb538f4a44606d6f6c6632301bb6750c", "type": "eql", - "version": 3 + "version": 2 }, "6e6376c1-a71e-4789-a795-198b05664064": { "rule_name": "Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)", "sha256": "b0d72fb2fdf17d7765df40825acc7844ad727d6e0a7e402becfcdd378c0eecb3", "type": "query", - "version": 2 + "version": 1 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", "sha256": "59abbe99101114f6fb8998854a935a04ab4c459d3c6720a4db458e53a01505be", "type": "query", - "version": 217 + "version": 216 }, "6e92a21a-58e7-449a-9cfd-9f563f59ac88": { "rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host", @@ -5665,19 +5646,19 @@ "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "ab4fc675056ec570e1d0fcee0b5dade33ef3d33131e6bf6d225cffcf9d59ab10", "type": "eql", - "version": 214 + "version": 213 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "4f362555c866031271f8abb08e9f19566d14cb22bd946bed7430bca32e1d9ca1", "type": "eql", - "version": 216 + "version": 215 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", "sha256": "1a271b28efc2579203a371e1810f70f4c164c9030910f0cc18297ec982ee80a5", "type": "eql", - "version": 218 + "version": 217 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -5689,19 +5670,19 @@ "rule_name": "Unusual Exim4 Child Process", "sha256": "7e0456ccada902df35ecfeda239bfbc50dfd31a0dc386834fb8f2ea91eb4039d", "type": "new_terms", - "version": 5 + "version": 4 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding", "sha256": "97da24e60bffad5b475a89da7cb4210ecec866dcac2b9017ae9bc655d0a947be", "type": "eql", - "version": 116 + "version": 115 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "rule_name": "Active Directory Group Modification by SYSTEM", "sha256": "76b7e15f05c16a73302c84e24542e26b21f45b57610fde617b93be59af49017c", "type": "eql", - "version": 109 + "version": 108 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -5713,13 +5694,13 @@ "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "87db5b1008a9782f6cdf83f6404d979b3324bcc547da1c4228118130307d4f8f", "type": "new_terms", - "version": 213 + "version": 212 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", "sha256": "50ac1ff7656d514815a0c4e4c39c449371e045968bc2d901f7d696b6bfaeceba", "type": "query", - "version": 211 + "version": 210 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", @@ -5731,13 +5712,13 @@ "rule_name": "Suspicious SeIncreaseBasePriorityPrivilege Use", "sha256": "1ed183a1e863a65ba89d88e5573fc1f3223f9eacb052a18d95f5ad248c7cba47", "type": "query", - "version": 4 + "version": 3 }, "6fa3abe3-9cd8-41de-951b-51ed8f710523": { "rule_name": "Web Server Potential Spike in Error Response Codes", - "sha256": "b9f814d7930bd32fd38a539e24983d88ba3bdf7a40124d4c4894c0bca4ef3fba", + "sha256": "27e2f30dca9a09abd668da24cbc5efaf03c1466422e00b09ec2d3c29f085da0e", "type": "esql", - "version": 7 + "version": 5 }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { "min_stack_version": "9.4", @@ -5753,139 +5734,139 @@ "rule_name": "Spike in Special Privilege Use Events", "sha256": "838b61827d24324be69e2a9674684812960a9c05f5a20d8913051d9a8ae60821", "type": "machine_learning", - "version": 105 + "version": 104 }, "6fcb4fe4-ac74-449d-855b-2bbd5c51c476": { "rule_name": "Multiple Vulnerabilities by Asset via Wiz", "sha256": "0610ae726a3381c2a47b8847eccbe0161250a1617583d4adc8aa5389802803bc", "type": "esql", - "version": 4 + "version": 3 }, "70089609-c41a-438e-b132-5b3b43c5fc07": { "rule_name": "Git Repository or File Download to Suspicious Directory", "sha256": "cbf5324511ebf3d256beb8dd0237adcb4d5d5057979ca6751efcf7a7e11f8152", "type": "eql", - "version": 5 + "version": 4 }, "7020ff25-76d7-4a7d-b95b-266cf27d70e8": { "rule_name": "Interactive Shell Launched via Unusual Parent Process in a Container", "sha256": "f71732f04d4bb9024781631a563a70bc613f39033a63805b0e4f5383ed9f5398", "type": "new_terms", - "version": 4 + "version": 3 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", "sha256": "ef329416e88fd93ee0e0517742245b288bd8c1cd49172672a51d8b93a6a83875", "type": "query", - "version": 217 + "version": 216 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Resource Deletion", "sha256": "3fa1996d6fb2e966a0696cc5971c64d5a29c229f00cf24cf2ef9fa58cc3f261e", "type": "query", - "version": 215 + "version": 214 }, "70558fd5-6448-4c65-804a-8567ce02c3a2": { "rule_name": "Google SecOps External Alerts", "sha256": "3875d92943fd3bd7e6de3c62cedde504db8217fbfd89d59c6a6e5afa159386d3", "type": "query", - "version": 2 + "version": 1 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "65980fe1ae4be0bcb253357e4e833ea08e6cf9acc68b212beaf62c43948c1e50", "type": "eql", - "version": 106 + "version": 105 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", "sha256": "cd2bb38a4e974ce084c49ac98d868aadf1d62999ccde4a722c6f7f8681bb55b5", "type": "eql", - "version": 115 + "version": 114 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "sha256": "eee78f93f7aeeb4b4f0ea1b35b303f8ee2141b44381b92e735a4e4cf30039209", "type": "eql", - "version": 112 + "version": 111 }, "713e0f5f-caf7-4dc2-88a7-3561f61f262a": { "rule_name": "AWS EC2 EBS Snapshot Access Removed", "sha256": "98bb1d28c3cc0f6c239a56a9034dfea2bebed6256e2716dcf375e509c4de8ebd", "type": "eql", - "version": 8 + "version": 7 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", "sha256": "f6ead63e1234253e25aea1bb53b931f40995439f8381bf0772392858405f8080", "type": "query", - "version": 13 + "version": 12 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", "sha256": "48698d164ee9ef1e5911162525352f757091d4171f69f61e66b484e3292a3312", "type": "new_terms", - "version": 216 + "version": 215 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "9b65d29fa4cc5f9c11bea2a136e01f88ea77400beade01ab8c4bd36dbed7bb4d", "type": "eql", - "version": 325 + "version": 324 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "7c65898dade61844fe46d042846acb9ef9efc5f9db5d01aa35cdffc5e0069b05", "type": "eql", - "version": 215 + "version": 214 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", "sha256": "6f10456533b056d27a062e3cd7f1b222441c8c716455684202ebbc452087ad19", "type": "eql", - "version": 9 + "version": 8 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", "sha256": "0d241c897dd9c807d936d644c16d714e96efa6b0d3a0742664dc6a58b71cc197", "type": "eql", - "version": 10 + "version": 9 }, "720fc1aa-e195-4a1d-81d8-04edfe5313ed": { "rule_name": "Elastic Security External Alerts", "sha256": "5378d1cf9cc62c93c87fca496cb3de399093caee93924ada0c9a7fc88cb0dfee", "type": "query", - "version": 3 + "version": 2 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Deprecated - M365 Security Compliance Potential Ransomware Activity", "sha256": "d6f4b7bdab6bfe9124312ba384a8f64ac35e481f8ee848ed5a0e9ed15340afb2", "type": "query", - "version": 216 + "version": 215 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", - "sha256": "f3a375efa9dad165b0ceee2708b1a82c91b5e018d88c7a9b2e3e9b92105cc17e", + "sha256": "9a4a0b4c3a7765a9f5aa08a40f32fe99e81d8e88a0251547e6e9c333931bdc14", "type": "esql", - "version": 9 + "version": 7 }, "7290be75-2e10-49ec-b387-d4ed55b920ff": { "rule_name": "Suspicious Network Tool Launched Inside A Container", "sha256": "c2ba7bc1f82579e203cf13c0276ae7a02175109e13c3b84aa194fb79ac1745b3", "type": "eql", - "version": 5 + "version": 4 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "f4492ee7450c2a4666b4a18506e59ba9cb9d94cc04f8edbcd923c1dfd1580dd5", "type": "query", - "version": 416 + "version": 415 }, "72c91fc0-4ac0-11f0-811f-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Non-Managed Device", "sha256": "1813453768a993697cc1479da5b1308872b3f2f780e62c10476e0809dca043f7", "type": "new_terms", - "version": 4 + "version": 3 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -5909,62 +5890,56 @@ "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "1e8acd425801d27306a75395ad7553fa89218783a9d5978e7cc46f96b06ee580", "type": "eql", - "version": 211 + "version": 210 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", "sha256": "529e1dbda15b3376095352d027735777a2397abe273d5ddbb29f3d1bd7214944", "type": "eql", - "version": 8 + "version": 7 }, "73344d2d-9cfb-4daf-b3c5-1d40a8182b86": { "rule_name": "AWS API Activity from Uncommon S3 Client by Rare User", "sha256": "4613606a794054e2bcc448e1d406d42931e2fe1c4b16baf16da9c7202686428f", "type": "new_terms", - "version": 4 + "version": 3 }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", "sha256": "77e205ee183f6c0e0cde587784b03809024a7e9b5cc57a8f974dd2ce582aaaef", "type": "eql", - "version": 8 + "version": 7 }, "737626a2-4dca-4195-8ecd-68ef96fd1bad": { "min_stack_version": "9.3", "rule_name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers", "sha256": "eb5c59bba857613a7fb8d8110f1155d944972005c6f68ebc4ea9fec1a1a12df4", "type": "eql", - "version": 3 + "version": 2 }, "737b5532-cf2e-4d40-9209-d7aec9dd25d5": { "rule_name": "Potential PowerShell Obfuscated Script via High Entropy", "sha256": "5708605ae509a80e9e65f2dbe00db765afb07010b91d983c26301632cb269bf1", "type": "query", - "version": 4 - }, - "73dd1f2c-3c24-4e13-a64b-dfd510e9fd98": { - "rule_name": "Cloud Instance Metadata Credential Path HTTP Request", - "sha256": "6d3abe8a47622302c534cb31973de874ecb522b58b11765981943efc51455150", - "type": "eql", - "version": 1 + "version": 3 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "3dd383b6fe11d4426b88f4569f0a405f1405b9e6655ffe6108d3723e997d4a03", "type": "eql", - "version": 219 + "version": 218 }, "74147312-ba03-4bea-91d1-040d54c1e8c3": { "rule_name": "Microsoft Sentinel External Alerts", "sha256": "a34a03f8ae7aa0e2dd7e603598ea2a6ce21901318fe406e2e71b9bb9a42f8d8f", "type": "query", - "version": 2 + "version": 1 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", "sha256": "a9d6c1c782deeaef26911bdcca095460eb5de2281e53e7079c6db36ac880dd22", "type": "eql", - "version": 212 + "version": 211 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "9.4", @@ -5980,7 +5955,7 @@ "rule_name": "Unusual Hour for a User to Logon", "sha256": "ac721977de331da992d8c388a41ca573de3fa2661d93b6d29a41a90a9bc1d896", "type": "machine_learning", - "version": 208 + "version": 207 }, "746edc4c-c54c-49c6-97a1-651223819448": { "min_stack_version": "9.4", @@ -5996,13 +5971,13 @@ "rule_name": "Unusual DNS Activity", "sha256": "25d810e576a232cff1b05e8e1cafc5777193188de0f8be7a9f076a6512e89705", "type": "machine_learning", - "version": 209 + "version": 208 }, "74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61": { "rule_name": "Long Base64 Encoded Command via Scripting Interpreter", "sha256": "dd5b413bc795678ac76282ad2b90729974c94632a7d245e19db1783c66b64d64", "type": "esql", - "version": 2 + "version": 1 }, "74e5241e-c1a1-4e70-844e-84ee3d73eb7d": { "min_stack_version": "9.3", @@ -6018,14 +5993,14 @@ "rule_name": "Kubectl Workload and Cluster Discovery", "sha256": "3fb59d0debefff5c213a62421bae47af81fdede0f7c3848bdfca03c7fd031d20", "type": "eql", - "version": 104 + "version": 103 }, "74ee9a2d-5ed3-40c8-9e6c-523d2e6a17ef": { "min_stack_version": "9.3", "rule_name": "DNS Enumeration Detected via Defend for Containers", "sha256": "c5699f232d2c200ebee161e0ddfb53f45756ab0e1b8961965e65a95f0993eee1", "type": "eql", - "version": 3 + "version": 2 }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { "min_stack_version": "9.2", @@ -6039,9 +6014,9 @@ } }, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "08d8c3881a690e49014abab4bfe6cf06d9e4ef69202e75b1ef47a50941191f03", + "sha256": "86a8f77e493766f2573af3fd44aa5355acd0aee0ec046bc6bee7f1022fea8ab1", "type": "esql", - "version": 111 + "version": 109 }, "751b0329-7295-4682-b9c7-4473b99add69": { "min_stack_version": "9.4", @@ -6057,73 +6032,73 @@ "rule_name": "Spike in Group Management Events", "sha256": "6111ce5b8cc57029859f4d7d1f13628833682f103a77863112e446c6c0cc6f3e", "type": "machine_learning", - "version": 106 + "version": 105 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", "sha256": "9fc432aa9a279cced87c9fda16b8665d2628e1dab0015863865b7afb8f2a813a", "type": "new_terms", - "version": 113 + "version": 112 }, "75c53838-5dcd-11f0-829c-f661ea17fbcd": { "rule_name": "Azure Key Vault Unusual Secret Key Usage", "sha256": "697c251dced5fdee5d4b9057aa2f791ab784595cc2b812fc403b7fe96b202bb8", "type": "new_terms", - "version": 5 + "version": 4 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "rule_name": "Service Disabled via Registry Modification", "sha256": "69703b792212ac650f5366d9c9672d3727d599a31dc333a09e730b29acaff933", "type": "eql", - "version": 7 + "version": 6 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "134c4594176dbca2b7f74074f945c476a08d79d6a308778f0f010a173d7a48da", "type": "query", - "version": 106 + "version": 105 }, "75f9b95f-370b-4ff3-a84c-66d9ec0b84eb": { "rule_name": "Nsenter to PID Namespace via Auditd", "sha256": "f88c26dc7d5fb9ad8dc2e4c143876eed2b3cdafaa896df247ffb58aa20da89be", "type": "query", - "version": 2 + "version": 1 }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "b1b0ac8a275f03a9e4f9266bdecc75a46d294a978807e76dfa46eff651b47ddf", "type": "query", - "version": 109 + "version": 108 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", "sha256": "3873bd6f2cb62ec83ea96f063ed37b195de67943416ef7620e3e8fc66c8a5cf5", "type": "query", - "version": 211 + "version": 210 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "99fbc0670843f40742c6738d7b65a175e21e572c0104971752b9a0481f21d03b", "type": "eql", - "version": 120 + "version": 119 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "rule_name": "Creation of Hidden Shared Object File", "sha256": "fdaa141067192258d1fba1bc103d8e8971607fbf4b6aad9407dadd5afc396de9", "type": "eql", - "version": 216 + "version": 215 }, "769a2e72-11bd-437b-9503-e51e7790d273": { "rule_name": "Potential Privilege Escalation via SUID/SGID", "sha256": "ce94437cea9118c4db77c156765f82ad48e2325fed6434593be74ac094b0b2e5", "type": "eql", - "version": 2 + "version": 1 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "b57e22699be52ca6afa8d2d3fcd39a54dc822e9f4b0c45e9202b101e20d7299b", "type": "eql", - "version": 213 + "version": 212 }, "76de17b9-af25-49a0-9378-02888b6bb3a2": { "min_stack_version": "9.4", @@ -6139,43 +6114,43 @@ "rule_name": "Unusual Country for an Azure Activity Logs Event", "sha256": "daad53aa4c99d2d19175b91467d915c42a7f126b889c1a81734f3a78d05f6575", "type": "machine_learning", - "version": 103 + "version": 102 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", "sha256": "60456e0811186e9f508af57452cb7f817f28f4cee61eda0f03c1f2c5b8a81d31", "type": "eql", - "version": 16 + "version": 15 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "01ae46d4f651856933ca7c8347ea064170f254722c3796b0dff3566bcd3e9e8c", "type": "eql", - "version": 422 + "version": 421 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "0144659d5bb4aa17f606b5607bc2c8f3c8aa5e81be4a31afa402a200ff25cc34", "type": "eql", - "version": 322 + "version": 321 }, "77122db4-5876-4127-b91b-6c179eb21f88": { "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", - "sha256": "86a0dbef3266bd06d495e1e2ceb7a8331df565b85b7f720574b5f5c88db3b026", + "sha256": "c2d560f60f74a23d2e584cb249c922e56a552e5f3a1c99eda122d4d0bff70fc0", "type": "esql", - "version": 14 + "version": 12 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "Entra ID User Added as Registered Application Owner", "sha256": "c60444bf7db1c5dbe2aaa41078d472a6d0f4989088577b2fd9de8fd099b0171d", "type": "query", - "version": 110 + "version": 109 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", "sha256": "b2f265c1c6f02ff0149022c18138a9ef408fa696e50c27e9d3445721816237f5", "type": "new_terms", - "version": 10 + "version": 9 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", @@ -6187,67 +6162,67 @@ "rule_name": "Potential Network Sweep Detected", "sha256": "8cd906472fcb1e0eab241dcb4b3e15dc1d20c8b99da3affe9cb3b454b7b9eeb6", "type": "threshold", - "version": 16 + "version": 15 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { "rule_name": "Yum/DNF Plugin Status Discovery", "sha256": "4ee525bb41e218ef13fb88f401ac12bc1f5f99fa86cac02a671bd02fc136b7a9", "type": "eql", - "version": 109 + "version": 108 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", "sha256": "89f593e9c2cc1086cf274ad161b75d49ea5f24797707c2ace2f1890b733afdb5", "type": "query", - "version": 211 + "version": 210 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Entra ID Privileged Identity Management (PIM) Role Modified", "sha256": "17c1e3c3e1f2363cca5097d1febb1c1fdfe1dbe7ec5c36f72b89312dc365a544", "type": "query", - "version": 112 + "version": 111 }, "78c6559d-47a7-4f30-91fe-7e2e983206c2": { "rule_name": "Unusual Kubernetes Sensitive Workload Modification", "sha256": "476c9475efcc39f0bfcb65ff6f40dba940e50eb387e43d16645a8701bb24bc15", "type": "new_terms", - "version": 4 + "version": 3 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", "sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89", "type": "machine_learning", - "version": 213 + "version": 212 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "2a433940966f2f0fe891fea3f39e6171fa12e90c3e5ad849e26484da381596f7", "type": "eql", - "version": 316 + "version": 315 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", "sha256": "fc4e1f18cd4299cef9d02f0fe5c7750aec32de3ccf737640f92c69abcf8aa99f", "type": "eql", - "version": 9 + "version": 8 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "rule_name": "Unsigned DLL Loaded by Svchost", "sha256": "9ea32cdb4aba86e589f83ad01881254cc615057b09a596f8a1740009fe17a0ea", "type": "eql", - "version": 13 + "version": 12 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", "sha256": "9f0dd07e9624660f7c948faf37e93c69ecb2938712118952d7030e874b4d22cc", "type": "eql", - "version": 8 + "version": 7 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", "sha256": "560c80b54abbb9cafeb5763facbe1bfc1170340cdba87d2d26f437a953ebba55", "type": "new_terms", - "version": 110 + "version": 109 }, "79543b00-28a5-4461-81ac-644c4dc4012f": { "min_stack_version": "9.2", @@ -6277,37 +6252,37 @@ "rule_name": "Execution of a Downloaded Windows Script", "sha256": "b8466ad6bbac620f7b3c11957e157be4a1d5210c764eaefdf7289fda21a7f9d2", "type": "eql", - "version": 308 + "version": 307 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "rule_name": "SSL Certificate Deletion", "sha256": "5fbbd63d53cc0bd3f5bbee608b8d9827efa8a7109088607acffa178fec33e640", "type": "eql", - "version": 106 + "version": 105 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", "sha256": "3333d79d05ec9e15466500362c0268b37e40266434c27aabb9d73657780de11b", "type": "eql", - "version": 10 + "version": 9 }, "79e7291f-9e3b-4a4b-9823-800daa89c8f9": { "rule_name": "Linux User Account Credential Modification", "sha256": "795cea2132f0be536e09c042566c70bedbac1d9a32d7d90a6e8263771c4988b8", "type": "eql", - "version": 6 + "version": 5 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "rule_name": "Potential File Transfer via Certreq", "sha256": "9cc0e6419c073ff3ff662d338732b39dfadec281284f8660850c09294746617a", "type": "eql", - "version": 218 + "version": 217 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "cb8b9a7be0c9d85f513c4b408bd065b0757c377d6e23ab723dc55a1741e20517", "type": "query", - "version": 220 + "version": 219 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -6319,25 +6294,25 @@ "rule_name": "AWS First Occurrence of STS GetFederationToken Request by User", "sha256": "e68fa16e0202bd0bc07a1d9c59cc6181f3add4f34d17e2e78a88be517363d37f", "type": "new_terms", - "version": 8 + "version": 7 }, "7ab5b02c-0026-4c71-b523-dd1e97e15477": { "rule_name": "M365 AIR Investigation Signal", "sha256": "7c2b1e9f0ab3d40c7743bcdd398666dea7ce01f11bbb9e71369a218dc1463f85", "type": "query", - "version": 2 + "version": 1 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", "sha256": "99fca949ae8edfb7afb964e72886e6e40bb9aa3611aba9a895220b6a5d0f2bba", "type": "eql", - "version": 12 + "version": 11 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via SSH Backdoor", "sha256": "115b28ee0d196e28e67c341ab955d79013a022f4f7a4f1e7899195e22fb80d16", "type": "eql", - "version": 12 + "version": 11 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -6355,49 +6330,49 @@ "rule_name": "Windows Network Enumeration", "sha256": "1287015e2cbbf36f6c4fd25871e0f13e424829e01845ab1568b70bc999cc1c93", "type": "eql", - "version": 217 + "version": 216 }, "7b981906-86b7-4544-8033-c30ec6eb45fc": { "rule_name": "SELinux Configuration Creation or Renaming", "sha256": "132d0281d9ffb39716b5e09b2766d142277327f0aa62e243fc7be053cda4e360", "type": "eql", - "version": 106 + "version": 105 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "dd30b5f7a318ad5565b52afd773e5291c49e0651eeb6c859d4b29d254f2a8ef4", "type": "eql", - "version": 313 + "version": 312 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Shell Command-Line History", "sha256": "86c142a7a15c278ed74582e86edcee7de433f554bb163446de4fa128c5a46b6a", "type": "eql", - "version": 112 + "version": 111 }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", "sha256": "0f2225c0e5a72b8db9a421b84b3d7600a08c7515a0f9198c8171b5d44ec8a112", "type": "eql", - "version": 10 + "version": 9 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "ae791bdb776e660c7036a0cd0a7a5d8657ddacbac0fa524b8c3f09de72e8443b", "type": "query", - "version": 112 + "version": 111 }, "7ce5e1c7-6a49-45e6-a101-0720d185667f": { "rule_name": "Git Hook Child Process", "sha256": "e1aafa5f4d3337d194ce54fa78c294dd28edec70497f58d3cfefde65ee48e549", "type": "eql", - "version": 108 + "version": 107 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", "sha256": "79fdf63a5b07ec050f2e4bccf65b9edcd7fa0acde10d5690ad4573db1c639f17", "type": "query", - "version": 110 + "version": 109 }, "7d02c440-52a8-4854-ad3f-71af7fbb4fc6": { "rule_name": "Alerts From Multiple Integrations by Source Address", @@ -6409,7 +6384,7 @@ "rule_name": "AWS Lambda Layer Added to Existing Function", "sha256": "98b713e30dc1a5a360825e71125517e2765b46a0ac94fb83c2b75e0695d261c7", "type": "query", - "version": 10 + "version": 9 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -6421,91 +6396,91 @@ "rule_name": "Potential Execution via FileFix Phishing Attack", "sha256": "8017672e1d5a3e9db124d9945f7a4ac62f198aec6733b445b3bac6be45ac7d90", "type": "eql", - "version": 5 + "version": 4 }, "7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": { "rule_name": "Entra ID Custom Domain Added or Verified", "sha256": "62e7543d4496ac6e879f5717d0348eb2a77d4585482a48073792c0f094f57367", "type": "query", - "version": 3 + "version": 2 }, "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { "rule_name": "SSH Key Generated via ssh-keygen", "sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843", "type": "eql", - "version": 107 + "version": 106 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", "sha256": "85bbf6cf0101b56ff21d6892fe6fb8895c06afbd4c9ab6bace4d8db07ede02ba", "type": "eql", - "version": 8 + "version": 7 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "d223ec9ab8f7b8c61d6100d7408999304a0de71fe37a9e8eb43cbc6b4a7ed459", "type": "eql", - "version": 317 + "version": 316 }, "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b": { "rule_name": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces", "sha256": "5ac05499166d15e3391528b35f73a7473b93b9ae723abcfc4d87c496388a52f0", "type": "query", - "version": 3 + "version": 2 }, "7e5c0e5a-95a5-404e-a5b0-278d35dc3325": { "rule_name": "AWS EC2 Stop, Start, and User Data Modification Correlation", "sha256": "5085178d8ef62259fb3d7a651f12d9b8070eec2122578fbd32b611c1df0df882", "type": "esql", - "version": 2 + "version": 1 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", "sha256": "602390ce15528f3c17793e86c7683d855e54283b997afff2b59450a9133c229f", "type": "eql", - "version": 6 + "version": 5 }, "7eb54028-ca72-4eb7-8185-b6864572347db": { "rule_name": "System File Ownership Change", "sha256": "1e042eae7f87d61976c6c536ce63589d0e4f670101060411413e6cb718dd5017", "type": "eql", - "version": 5 + "version": 4 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "rule_name": "Security File Access via Common Utilities", "sha256": "dfd9d1738b7b47ca18ef97c110717eb2ebb80cd79bf43dcd58d9f5ca4f7dc466", "type": "eql", - "version": 108 + "version": 107 }, "7f3521dd-fb80-4548-a7eb-8db37b898dc2": { "rule_name": "Potential Notepad Markdown RCE Exploitation", "sha256": "93a1125fa6da577483bb725160ffb4b13b5dad6f47ccd67d77955061d4375e0b", "type": "eql", - "version": 6 + "version": 5 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "37d093b58d917e0eb1a4d8f9b92723a63feff6e1f14d8f8be3cfa3f2b9b5fb6a", "type": "eql", - "version": 215 + "version": 214 }, "7f3a9c2e-1d4b-5e6f-8a9b-0c1d2e3f4a5b": { "rule_name": "Potential Root Effective Shell from Non-Standard Path via Auditd", "sha256": "d0f106dcb3ff6ae76fa7b71147a962b1e967aa7e742d48988008a8e178d54fa9", "type": "query", - "version": 2 + "version": 1 }, "7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b": { "rule_name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation", "sha256": "6cf3054443a5d4ce4ad838455a77599f465d2a6d1b7aac00f871e31970d212ad", "type": "eql", - "version": 5 + "version": 4 }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", "sha256": "5357e1bfb039ea8b93e129b2cdac2371d183c097a8351e7f1b28d086e81f487f", "type": "eql", - "version": 8 + "version": 7 }, "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": { "rule_name": "Web Server Potential SQL Injection Request", @@ -6517,61 +6492,61 @@ "rule_name": "Discovery of Internet Capabilities via Built-in Tools", "sha256": "c36b3a20bc7851ef82f259a38a6c6a7ec11f8f1ed9af8787d9658342939f9463", "type": "new_terms", - "version": 106 + "version": 105 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", "sha256": "11fb6ed836d3d13fda309a2ddebc6784355450f5e65c15241634917d7de7a449", "type": "eql", - "version": 21 + "version": 20 }, "7fc95782-4bd1-11f0-9838-f661ea17fbcd": { "rule_name": "M365 Exchange Mailbox Items Accessed Excessively", "sha256": "5712eee0f955297e794d9c01a9e2b82c4704a5f852b2a23492292651861f45ff", "type": "query", - "version": 5 + "version": 4 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", "sha256": "fc200a3dd1eacf187d77b981115f644d11a90ee47affcd553b303b26d9b02e9c", "type": "eql", - "version": 13 + "version": 12 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", "sha256": "5a2251601cf605cb63463e81b7f57bf842eb1dd019bcc6e1a5d05909114cea77", "type": "new_terms", - "version": 112 + "version": 111 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "rule_name": "Unusual Process Extension", "sha256": "85aada873799d2431ff32fe657e4ba002fcd4cf73c7d5d23d9660764dcec119d", "type": "eql", - "version": 7 + "version": 6 }, "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { "rule_name": "Deprecated - Potential PowerShell Obfuscated Script", "sha256": "fefa473559337a11c4edaefa3914f1b5e6809c26b04da1e9eb98f17f147f93a2", "type": "query", - "version": 111 + "version": 110 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "AWS SSM Session Started to EC2 Instance", "sha256": "9ee1ebd6c05bbcb790468a9e8e11271e207a5620aa553dae437bbcb645fceeb7", "type": "new_terms", - "version": 7 + "version": 6 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "be4fcdd1b914e92f16ebb75fc86828552c9fc7abda2685ac63b28f7d9a3f2054", "type": "eql", - "version": 109 + "version": 108 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", "sha256": "99bf6df5902600b0c743678eb247b68b3d1fdec36e3c5d7f879c547fd0141726", "type": "machine_learning", - "version": 214 + "version": 213 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", @@ -6593,19 +6568,19 @@ "rule_name": "Unusual Remote File Extension", "sha256": "6abbaa944d0c5d273806bc58f6c8e79ceb52c0924dd195ee94aee3930230f16d", "type": "machine_learning", - "version": 110 + "version": 109 }, "8154d01d-04d1-4695-bcbb-95a1bb606355": { "rule_name": "Gatekeeper Override and Execution", "sha256": "991965250b10d42aec5d6ee76ab2fd8a361227d80eb667d76a4fa93528ded285", "type": "eql", - "version": 3 + "version": 2 }, "8167c5ae-3310-439a-8a58-be60f55023d2": { "rule_name": "Suspicious Named Pipe Creation", "sha256": "253e887c55def671178ffe4b57883d3bc98217574f194ba83ff1120724e1a7e3", "type": "new_terms", - "version": 6 + "version": 5 }, "81892f44-4946-4b27-95d3-1d8929b114a7": { "min_stack_version": "9.4", @@ -6621,13 +6596,13 @@ "rule_name": "Unusual Azure Activity Logs Event for a User", "sha256": "0c6c500f67d15e6e004f30895284446912eed2946c7433eb1b2e43ac9cb1368d", "type": "machine_learning", - "version": 103 + "version": 102 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "b2573abd94d397aa342b54649a68d6dd61b1eab6fa2a85262d80622ade46a7e4", "type": "eql", - "version": 318 + "version": 317 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -6639,62 +6614,62 @@ "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "7a4d5185d5e5d9b1908bab0d3aca30a9fd909de1e7ed5bd9973f17ea38c45131", "type": "query", - "version": 321 + "version": 320 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "rule_name": "Temporarily Scheduled Task Creation", "sha256": "19540fa8823bf220012c9be723cb349c87f01d6257c20b38423e67c4c11e70e2", "type": "eql", - "version": 115 + "version": 114 }, "8248323e-f888-4134-a26f-37a6362f7231": { "min_stack_version": "9.3", "rule_name": "DNS to Commonly Abused Web Services", "sha256": "dbb5583417dd597c8f05b913273b53b8409710f3ae1eb6b9aa6e9eb4c83092fd", "type": "eql", - "version": 2 + "version": 1 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "5b5b70876d3001d659553913b8987b5454fa88d97ba664716d9d4d284a02725d", "type": "eql", - "version": 214 + "version": 213 }, "8293bf1f-8dd0-434e-b52a-1aa6ec101777": { "rule_name": "Suspicious Write Attempt to AppArmor Policy Management Files", "sha256": "805555cf50ddc4f2911f97266442eb357b42c55674a349ea4f73f305fce05479", "type": "eql", - "version": 2 + "version": 1 }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", "sha256": "277df1300e839607dcd3b2f0c822ad6033930c8c4c737859b4bc8f29cacd38e4", "type": "new_terms", - "version": 8 + "version": 7 }, "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { "rule_name": "Manual Dracut Execution", "sha256": "29c7059375d06cd1cc12a302f2333031ad5939f3b5d67b5793afadddfdaea7fd", "type": "eql", - "version": 8 + "version": 7 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "b2a4836d17db8e9a4fc07bed95c967891c6e4ce8afd0df96514a379cf12501a3", + "sha256": "a2bb9648be410edc4f63b16588b57cd265841be85791537e0d4635d059306344", "type": "esql", - "version": 16 + "version": 14 }, "8383a8d0-008b-47a5-94e5-496629dc3590": { "rule_name": "Web Server Discovery or Fuzzing Activity", - "sha256": "d83fe4a414d17a095570931eccedc540ce362727af0e7ade3efdfec901021ab1", + "sha256": "985bf66729f4fbb6875ca03651b5f088856495eb5e52ed0c62d9c950a63b5641", "type": "esql", - "version": 7 + "version": 5 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted", "sha256": "886e69fd58d0b30bee105947d384e6ea7ca847b28e272a7a462e23162be0cbb7", "type": "query", - "version": 109 + "version": 108 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { "rule_name": "Linux Restricted Shell Breakout via the mysql command", @@ -6706,80 +6681,80 @@ "rule_name": "Suspicious Windows Powershell Arguments", "sha256": "f37d18299f2b6ae378e9ebbda386f621a87953d1876e6a1d5d05d56a2a42375e", "type": "eql", - "version": 215 + "version": 214 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "e7181205724d4dd074ed7813ffe5b2b8d1e6b3d21158bb791df05b329db185d9", "type": "eql", - "version": 116 + "version": 115 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role", "sha256": "4ba4a6143b3e9c0796753566012abd8ce4d00f6dc4a07026f37ecdae32914447", "type": "new_terms", - "version": 10 + "version": 9 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "rule_name": "Deprecated - Microsoft Exchange Transport Agent Install Script", "sha256": "231fa1320c2fe2c406250a79a7d96b9d5ba958d3b53f96867c8c3d563d7b55f5", "type": "query", - "version": 111 + "version": 110 }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", "sha256": "e03a6361412c5e8705b679c6544081b684e4b0d563f052e0624e583983c7baec", "type": "eql", - "version": 8 + "version": 7 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "rule_name": "Potential Upgrade of Non-interactive Shell", "sha256": "a68732ae9d35dba87c95fbec9aec936ab7565c1de5ba804a22841eadf018b195", "type": "eql", - "version": 109 + "version": 108 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "910ab24992b092b670b8f46bc6acd50d1ebd6641c4c0afbe68cb426c5c30f8bc", "type": "eql", - "version": 220 + "version": 219 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "rule_name": "Potential Remote Credential Access via Registry", "sha256": "574d715b6ce4b597ea59f0da4cbc28681d04fd706bffc3261faddca6bb433510", "type": "eql", - "version": 115 + "version": 114 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "b3fd7ce2686a4da739298c81e33a67dfa9c63b11eb3976fa0b8c45ac55facc8a", "type": "new_terms", - "version": 218 + "version": 217 }, "85d9c573-ad77-461b-8315-9a02a280b20b": { "min_stack_version": "9.3", "rule_name": "Process Killing Detected via Defend for Containers", "sha256": "801e043b5aec7ea7952aa8ade78a681fd2bb3fdde4e305a4c8dae8cda599d58d", "type": "eql", - "version": 2 + "version": 1 }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", "sha256": "e2f5f510ca7a02c9742e8740fd5c6a609fdbff33b7d65d755b9a2a93ef2d248b", "type": "esql", - "version": 12 + "version": 11 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", - "sha256": "a8ed26b32cd94694adce57becfac407e2bf6897f14d5a065df29a2216e32fb20", + "sha256": "10bbd6b833bdba66080b6ea0671751c89bbd7d3fc0518fa6f03c456539502df0", "type": "esql", - "version": 14 + "version": 12 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "941cacbf7dfc86fc7816d9a2c8584951737f2b4dcf09ad1841befdc1cfa1ffe5", "type": "query", - "version": 213 + "version": 212 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "Deprecated - AWS RDS Security Group Deletion", @@ -6791,19 +6766,19 @@ "rule_name": "AWS IAM Group Deletion", "sha256": "3abaf9bcf2904f994396d8543bd3aaeef43a2e98d31e9eefa381b426864ee55a", "type": "query", - "version": 213 + "version": 212 }, "86aa8579-1526-4dff-97cd-3635eb0e0545": { "rule_name": "NetworkManager Dispatcher Script Creation", "sha256": "af4d1639fa424646c1f9aea3aa4e17d4c520b08a657af139282fba725cfc76d9", "type": "eql", - "version": 8 + "version": 7 }, "86b3a245-03de-49a5-ab57-ae44d8f064da": { "rule_name": "Container Runtime CLI Execution with Suspicious Arguments", "sha256": "b49008a2e524c3ab2b367ae2d73b208ee6a89c06a8e67a6bbd6c28ef543e4bd6", "type": "eql", - "version": 2 + "version": 1 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "rule_name": "Potential Linux Reverse Connection through Port Knocking", @@ -6815,25 +6790,25 @@ "rule_name": "Security Software Discovery via Grep", "sha256": "dd820be9349011d4ec335569d9898cb70ea8a935ad0df6f01cbe987c9d711bc7", "type": "eql", - "version": 114 + "version": 113 }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", "sha256": "4bbc068166c4cd467e8b63f0500aaddf001c6469a8ae6a620d661881570e619f", "type": "eql", - "version": 221 + "version": 220 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", "sha256": "e339c78401a6804c63a87a211a0a0487e1e57f189247c6bf1d912d29cfc286d6", "type": "query", - "version": 10 + "version": 9 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "5f457fe98b665b8a9e62cc644d1ab36295835009aa64a66b3ba48a3a15c0e423", "type": "query", - "version": 214 + "version": 213 }, "877cc04a-3320-411d-bbe9-53266fa5e107": { "min_stack_version": "9.3", @@ -6849,7 +6824,7 @@ "rule_name": "Kubectl Network Configuration Modification", "sha256": "a1894306d2121d58ca0fbece2a5bf937c976bf968265df675e6644c2ee86bd99", "type": "eql", - "version": 104 + "version": 103 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -6861,43 +6836,43 @@ "rule_name": "Linux Clipboard Activity Detected", "sha256": "586482d2e766199d7d20451c536089086726536ce2d6b78324c97ca9e8a27dac", "type": "new_terms", - "version": 11 + "version": 10 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "M365 Identity Global Administrator Role Assigned", "sha256": "826d91fd08a94cba97478f637b721a622927885f74aa5e12a9c39555ba33dc67", "type": "query", - "version": 216 + "version": 215 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "dffeb89bd2bc7aa9295056acf3f3e48cf641480002098af31aac13a9fd518282", "type": "eql", - "version": 114 + "version": 113 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "rule_name": "Potential Sudo Hijacking", "sha256": "15290009b50a0be19faab5d4bcf8b037b1133350ac236ed74d1fef9b7f28e36c", "type": "eql", - "version": 113 + "version": 112 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "79766485064b150c88c72e4318717a5ae5fbf67996a675b6a6fc90adc2bd6c35", "type": "eql", - "version": 213 + "version": 212 }, "894326d2-56c0-4342-b553-4abfaf421b5b": { "rule_name": "Potential WPAD Spoofing via DNS Record Creation", "sha256": "91e82c47e7296c7f031bd60c2e9a11cbad7708537f7897a41fc725b48242bcdb", "type": "eql", - "version": 109 + "version": 108 }, "894b7cc9-040b-427c-aca5-36b40d3667bf": { "rule_name": "Unusual File Creation by Web Server", - "sha256": "96ce6cefc962662f64fab145bdacab7fd6634c324ed8118e1ed935d9ae26bfae", + "sha256": "e571b65fc24fca4eca6d1be59574531c2d30099725b3b2636dfca04cf3dca1fd", "type": "esql", - "version": 10 + "version": 8 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -6909,79 +6884,79 @@ "rule_name": "FortiGate Overly Permissive Firewall Policy Created", "sha256": "d1d718262a55ce4eb2f3109b52008bb31b4730548cc74c0bb2f88c2066874849", "type": "eql", - "version": 3 + "version": 2 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "997ff3e71d520c0732a123e1d0ad70cdd6bf378b08cb0676dcb3dc3b8be50005", "type": "eql", - "version": 216 + "version": 215 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Suspicious Command Prompt Network Connection", "sha256": "78c4503367d09652a555301342470eda60e4bb0bbbdede4115675d26689da852", "type": "eql", - "version": 216 + "version": 215 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", "sha256": "dd084e812cce1783a6f9ba2487369dcde52524dd9ebbdf42cbb46fbc6775cb61", "type": "eql", - "version": 112 + "version": 111 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", "sha256": "85b2f05242ef2b243497149f4a9ced74f2092360b32956fbd76fa5877477b9ae", "type": "eql", - "version": 12 + "version": 11 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "bfbc2e038be0e058b013edc804ae3cbf9358bf4e7a5e60ec7708fd9335b00208", "type": "eql", - "version": 214 + "version": 213 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "rule_name": "GitHub PAT Access Revoked", "sha256": "f2df2aa417dd23bf02331ebd404b3dd336f446beb1284f6393f29558895e7cbf", "type": "eql", - "version": 207 + "version": 206 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", "sha256": "3cdc89e93768197c70d988777a765055e5d99d6ff147c94e5015d96650a4f6ce", "type": "eql", - "version": 111 + "version": 110 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "b1b9d970b94d1f0d33fee26a4679f1232d96921a54d9a4d0c247b861915dce0f", "type": "eql", - "version": 215 + "version": 214 }, "8a1db198-da6f-4500-b985-7fe2457300af": { "rule_name": "Kubernetes Unusual Decision by User Agent", "sha256": "87463c0ee2b94b85ef1a97b095d7804388e7ec85b856a29cf58045acff6110ef", "type": "new_terms", - "version": 7 + "version": 6 }, "8a556117-3f05-430e-b2eb-7df0100b4e3b": { "rule_name": "FortiGate Administrator Login from Multiple IP Addresses", "sha256": "9dcb51c768e95cbd73655d85347ee0163b46f11470f3d673caf5994a6cf16314", "type": "esql", - "version": 4 + "version": 3 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "9af183f0898497548e96c09ddfe9a51ebc3e65db6be58b64891ede967f7a09ff", "type": "query", - "version": 416 + "version": 415 }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { "rule_name": "Unusual Command Execution from Web Server Parent", - "sha256": "67026a5271dfee3885ded9f2c185ec626772f29c47b50e3d9d51b83092abec19", + "sha256": "df522ce5e98dfecebb085a50f07d0317c34618922825d910d3e36754b4d631b9", "type": "esql", - "version": 14 + "version": 12 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -6993,67 +6968,67 @@ "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "sha256": "500aa971acca151f7325aa6f5b1b35a36cd749170866c9f0f3f9a5d1061d008b", "type": "eql", - "version": 111 + "version": 110 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "0891db2139f619c3e12aa7ff813fb6c47c0b921921e10f68302d2cc5e09094fc", "type": "eql", - "version": 316 + "version": 315 }, "8b4d6c3a-2e9f-4b7c-9a5d-6f8e3c1b4d2a": { "rule_name": "Azure Storage Account Keys Accessed by Privileged User", "sha256": "ef60832a362b19da1ecb80f507f7097c504c401b7bfae720da603f222f294c0f", "type": "new_terms", - "version": 3 + "version": 2 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "155748dc2cb03082c198d49c5b3a63d68bcbb946ac0249b60cdd1c0ad240e967", "type": "eql", - "version": 317 + "version": 316 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Events Deleted", "sha256": "8e4798edae7eb2301c9219ac5243fe24e10cd947652efff3d972e522037a0d38", "type": "query", - "version": 110 + "version": 109 }, "8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": { "rule_name": "Several Failed Protected Branch Force Pushes by User", "sha256": "161df6cf4be2d2363710a4fe6c657d1b60e3e64c8b7438588f60e9f60d3528b5", "type": "esql", - "version": 5 + "version": 4 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "a116199798ce219c0aceb2948a7979d20498678ec9bb86abedd8ddb7e974d16b", "type": "query", - "version": 111 + "version": 110 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", "sha256": "9955aae54a8f93f01d22e8dbeba7c6f61bdff91c51078dd51ce9daf7339f6580", "type": "eql", - "version": 321 + "version": 320 }, "8c707e4c-bd20-4ff4-bda5-4dc3b34ce298": { "rule_name": "GitHub Private Repository Turned Public", "sha256": "d2deb01d1b50975220e5ee778a3f487256d2704c60bb881efde3f2af99d372f5", "type": "eql", - "version": 4 + "version": 3 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", "sha256": "a5bd7d9ab86ab20b88f66312067bfab6a568f6e2e62a6086ae485a5d2e41f0b6", "type": "eql", - "version": 114 + "version": 113 }, "8c8df61f-ed2a-4832-87b8-ee30812606e0": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via Command Line", "sha256": "0adfd339ad27a6b8b76c80aedee937f94c4f97230a6eb989be7cc055dc705db6", "type": "eql", - "version": 3 + "version": 2 }, "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": { "min_stack_version": "9.4", @@ -7069,7 +7044,7 @@ "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", "sha256": "b1badadb630b67c0ce5e1097220bb27225d8f7c5aeafd602875395912a5854c2", "type": "machine_learning", - "version": 105 + "version": 104 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", @@ -7081,25 +7056,25 @@ "rule_name": "Potential Successful SSH Brute Force Attack", "sha256": "a96fb4b4b383179cc72cb5eae13d8db7519f05a462df336a7c09f4ff2348581e", "type": "eql", - "version": 17 + "version": 16 }, "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { "rule_name": "RPM Package Installed by Unusual Parent Process", "sha256": "fd3063980542ef2a702e17a3d1846cff65911774f84b6f95d92358d7c03f8e7b", "type": "new_terms", - "version": 7 + "version": 6 }, "8cd49fbc-a35a-4418-8688-133cc3a1e548": { "rule_name": "Proxy Execution via Windows OpenSSH", "sha256": "e08100fdb189d4a8d88e1b98e86124b022055743f5ea002e7c6e51addcb26261", "type": "eql", - "version": 4 + "version": 3 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", "sha256": "0bf06ca7dbd6bf33afe26f82f0a013a7c48a33b7aa69fe2114aa607308c21adb", "type": "eql", - "version": 7 + "version": 6 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "9.3", @@ -7115,7 +7090,7 @@ "rule_name": "Interactive Shell Spawn Detected via Defend for Containers", "sha256": "50e2c7782f8be9f72c7128dc4db0539b9d79ef43293b239f22635c9dbe0b1cd5", "type": "eql", - "version": 106 + "version": 105 }, "8d4d0a23-19d3-4186-a6f1-6f0760d2e070": { "rule_name": "Multiple External EDR Alerts by Host", @@ -7127,97 +7102,97 @@ "rule_name": "Entra ID OAuth ROPC Grant Login Detected", "sha256": "7c732e1ccfa76a9e4b864a9a5cc905c699b322c8fd19066eb9ae614ad50d1e82", "type": "new_terms", - "version": 5 + "version": 4 }, "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": { "rule_name": "Potential Data Exfiltration Through Wget", "sha256": "3fd2b1b4a83e83cd6cc4d3b9171acbf2a8727daa0a182983a596c27976019c1c", "type": "eql", - "version": 4 + "version": 3 }, "8d9c4128-372a-11f0-9d8f-f661ea17fbcd": { "rule_name": "Entra ID Elevated Access to User Access Administrator", "sha256": "83c4b5a6c2d976377276bf4663925ff8f4c92cb2bd44e8d4ff715af6e89ca335", "type": "new_terms", - "version": 6 + "version": 5 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "b076e4e14884d25fba16f078694f7925272dd885b2e4091bc53e86bf8312b0fe", "type": "eql", - "version": 214 + "version": 213 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", "sha256": "4310e0e0dd6ef5d366aac17c4b8233b9ed3a2a2603d418aeb156e14b7ca3bc2d", "type": "query", - "version": 109 + "version": 108 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "rule_name": "Potential WSUS Abuse for Lateral Movement", "sha256": "753cd28018873970c400a8298c254ce1524a2b19087d022f3c34d946504e3669", "type": "eql", - "version": 214 + "version": 213 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", "sha256": "4d5ec92b6f2172b7a6f70ad0e96425134d404f434be5f19e8347ab2f531bce2d", "type": "eql", - "version": 7 + "version": 6 }, "8e66c55f-8db6-4e3e-bf4f-3a3e242bdf66": { "rule_name": "Microsoft Graph Multi-Category Reconnaissance Burst", "sha256": "7a9834cd74794ce51aa225cb563776e440a9c8e8148106721fe40db00f5e2418", "type": "esql", - "version": 2 + "version": 1 }, "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": { "rule_name": "Entra ID Actor Token User Impersonation Abuse", "sha256": "3d44c73a3692bf5d2e82a05e5660e69202bc834886ad39fb4b6b3fe0211e845a", "type": "esql", - "version": 7 + "version": 6 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "rule_name": "Bitsadmin Activity", "sha256": "ebcef83158cf83d309f5a795e4af56f9baaf29a4683c7458757351eec539a0f2", "type": "eql", - "version": 109 + "version": 108 }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { "rule_name": "File Transfer Utility Launched from Unusual Parent", - "sha256": "ae91e3758de4c74a7ba69bdf76662d67f67d37f3c15d937cd4cd1358692708c6", + "sha256": "836b3c4bc02c3e85bb2f6eaa8fec7d019a33b393b55fb392dc33c9c865f2deb6", "type": "esql", - "version": 14 + "version": 12 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "79d2a9160017926198d637f08dc603fedbb7cd4fbd83d17b74b08580ee1474bd", "type": "eql", - "version": 109 + "version": 108 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", "sha256": "97d9b5554bd6133e3e4d7eab81bb0e47fff98c0f0126fc4f675c97058901bb29", "type": "eql", - "version": 114 + "version": 113 }, "8f8004e1-0783-485f-a3da-aca4362f74a7": { "rule_name": "Linux User or Group Deletion", "sha256": "9097975f7890b4d531b35ae33794bd65145b919c575d26e22fa95c26151a5f1c", "type": "eql", - "version": 3 + "version": 2 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "166e37431a08e33591ca315008ea56f76f0f709bf7e858c2dd2fe622cccd981e", "type": "eql", - "version": 213 + "version": 212 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", "sha256": "76199312383db1b95ac2268eaada459efb3d102690231973671f8a2c499dfde3", "type": "query", - "version": 109 + "version": 108 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -7229,55 +7204,55 @@ "rule_name": "Hping Process Activity", "sha256": "5452130912b7e1ab2aa128c84c0b21c6969d10067f9d01105f86b08e0a26dcab", "type": "eql", - "version": 214 + "version": 213 }, "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": { "rule_name": "GenAI Process Connection to Unusual Domain", "sha256": "411e1e52013103268793186989a70512a23fff33bd76a04df70efccab5657b4f", "type": "new_terms", - "version": 6 + "version": 5 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS DB Instance or Cluster Deleted", "sha256": "01f5c53e0534cf3e8f1dbc49a95dffba600a0a04c5417d52cf36cd471cf5a624", "type": "query", - "version": 213 + "version": 212 }, "9056d577-4da5-47bf-8c94-6c0b1bb3f8a5": { "rule_name": "Chroot Execution in Container Context on Linux", "sha256": "1327e72d0dfdb1e0f8b9b5f3fefee53813631ef25ed39a9bbba78105ed320c11", "type": "query", - "version": 2 + "version": 1 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "rule_name": "Simple HTTP Web Server Creation", "sha256": "09d9d01561eb71ac979bff7232ba219371801a51e963720cbb333052c30acf43", "type": "eql", - "version": 107 + "version": 106 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "3767b47364ab96c700f9ddf5ee8bf9636f68b00a9d5b36d8c98ee2483cd8cd65", "type": "eql", - "version": 115 + "version": 114 }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", "sha256": "04c5ec27d3a9b03f4132d923b9bcf00154388d2360fe8789359516fccfc3187d", "type": "threshold", - "version": 7 + "version": 6 }, "90babaa8-5216-4568-992d-d4a01a105d98": { "rule_name": "InstallUtil Activity", "sha256": "1f836d04fff5d1714236d933b95423d63a44b8df46085065d9e394338ffd3e8c", "type": "eql", - "version": 108 + "version": 107 }, "90c0ce77-3fb4-484f-a8ad-4648e12b35b1": { "rule_name": "AWS EKS Access Entry Modified", "sha256": "b0dee71f273e351db266bb3a78718389454410b327626c2aaabb5e9dc8852273", "type": "query", - "version": 2 + "version": 1 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", @@ -7288,33 +7263,33 @@ "90e4ceab-79a5-4f8e-879b-513cac7fcad9": { "min_stack_version": "9.2", "rule_name": "Web Server Local File Inclusion Activity", - "sha256": "ce9227305b17902586304198a3a92cec6183faa6ee8d90012c43430db3f90801", + "sha256": "03d1493423cf1eecb33f5c4bb9d629da961d04391cab206a3651b60855ddd1e8", "type": "esql", - "version": 7 + "version": 5 }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", "sha256": "aa1f61fe8a16a44fd7569befb93e71d7bf94d8ade6285a0afabf70257ebdf9ec", "type": "new_terms", - "version": 6 + "version": 5 }, "90efea04-5675-11f0-8f80-f661ea17fbcd": { "rule_name": "Entra ID Unusual Cloud Device Registration", "sha256": "ef5f1f198548e65c9ed5cb95c3b011532c0de3d57edca67c59a6007529e93b0c", "type": "eql", - "version": 6 + "version": 5 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "b710a75749f1c2ca395821015bbfa00e3870d75a89785e4506f4029b9d54445c", "type": "query", - "version": 110 + "version": 109 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", "sha256": "b772aae4fecd07fc3fda61945a74f84d5f31d5e5371a490c75a2c1f5e39b21d9", "type": "query", - "version": 213 + "version": 212 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "9.4", @@ -7330,7 +7305,7 @@ "rule_name": "Unusual Web User Agent", "sha256": "cfcad42e56eaf65d1ad977504ea2a1122b7bec964cd4aa3c09f5aaa0983e206a", "type": "machine_learning", - "version": 208 + "version": 207 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "min_stack_version": "9.4", @@ -7346,7 +7321,7 @@ "rule_name": "Unusual Web Request", "sha256": "6674d243b24f7dbdaa41751d1c4dc3244e6757de2c25baff5ebbd5d32e1422d5", "type": "machine_learning", - "version": 209 + "version": 208 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "min_stack_version": "9.4", @@ -7362,7 +7337,7 @@ "rule_name": "DNS Tunneling", "sha256": "6d6bb3df7c940826fbc2cbff1da1ad41b1dd196c901b034d0f7f1bfe259397a0", "type": "machine_learning", - "version": 209 + "version": 208 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", @@ -7374,91 +7349,79 @@ "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "58da4c9a17bcfbc79ef87cb25e7a4fcf2d48d7ed569789517061ef9be0b86634", "type": "query", - "version": 215 + "version": 214 }, "929d0766-204b-11f0-9c1f-f661ea17fbcd": { "rule_name": "M365 Identity OAuth Phishing via First-Party Microsoft Application", "sha256": "5b1525d9fb3e1d0b955b43b502826a19998607b96fce7d351b5f2a4b656a61fe", "type": "query", - "version": 6 + "version": 5 }, "92a36c98-b24a-4bf7-aac7-1eac71fa39cf": { "rule_name": "First Time Python Spawned a Shell on Host", "sha256": "be63d148ae752f2a10774f0a44d74f9d112e91c8757bb2b6821252b3481ce6c1", "type": "new_terms", - "version": 3 + "version": 2 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "rule_name": "A scheduled task was created", "sha256": "7efafffc437abbe227a0503113191f580362de2d55f7d83279aa4718b2ad5227", "type": "eql", - "version": 116 - }, - "92b11a06-57ab-4f6d-a18b-fb7fdf3cc63f": { - "rule_name": "Passwordless Sudo Probing", - "sha256": "5d374b31858c7cb44f7506ee9ec1d5f6e39af3b48436baf5cb9fe763edc9e9d7", - "type": "eql", - "version": 1 + "version": 115 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "ba06cd9a60b678a177105f360eee0602b9dbae4dc739bd308111e4ccf706fe98", "type": "eql", - "version": 112 + "version": 111 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", "sha256": "a7f3fb92910eb74a17595421262ef4c0c685a07e4e5512f18cdb96117b34f30b", "type": "new_terms", - "version": 217 + "version": 216 }, "93120a05-caf5-47f6-a305-e8abee463fb9": { "rule_name": "Kubernetes Pod Creation Using Common Debug or Base Images", "sha256": "75899e6bc8d17dbb87ecafbe4e9e56a1a465d8e7dffd767f9a24ac2d03860358", "type": "new_terms", - "version": 2 + "version": 1 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Activity", "sha256": "bed251adfc37c827253140e4659e753a36a15717622a7081ab318cf765576578", "type": "eql", - "version": 212 + "version": 211 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "c55bac37daa9321802740fb410156e014f7560d5cc079d927f224956d090523e", "type": "query", - "version": 214 + "version": 213 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", "sha256": "b1ca64a473159cace9469b404e6e212f76b072963ef57f2082259313d45d3b85", "type": "eql", - "version": 215 + "version": 214 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Deprecated - Encoded Executable Stored in the Registry", "sha256": "f68b4a5cc0a9b8ae595d15919b1ce6607fa1a1b6e08ef5f73c6b91d35996c7ac", "type": "eql", - "version": 420 - }, - "93d2c5bf-dac1-4e0f-ab52-16f440782bb8": { - "rule_name": "Google Workspace Login Flagged Suspicious", - "sha256": "eb63d1ef0bc52fa63f2f387b028278320a8454acb64c36302e5a6addba4a5e55", - "type": "query", - "version": 1 + "version": 419 }, "93dd73f9-3e59-45be-b023-c681273baf81": { "rule_name": "Linux Video Recording or Screenshot Activity Detected", "sha256": "a7d3bdce1506512de3038f519099b488cfaf31a9ddf4c791ac8aca3c2861359b", "type": "new_terms", - "version": 3 + "version": 2 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", "sha256": "69b1e02d3a36de758cf981011b13ecfc3134cc52eeaa7686b2f2aef99248120e", "type": "query", - "version": 211 + "version": 210 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration", @@ -7470,7 +7433,7 @@ "rule_name": "Executable Bit Set for Potential Persistence Script", "sha256": "36ac08934324e18a5d413160904562eb2048ebc1ec0386d2e5c65e183599afbb", "type": "eql", - "version": 110 + "version": 109 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Deprecated - Creation of Kernel Module", @@ -7482,67 +7445,67 @@ "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "3507e4b16ab8077d5b8ded1a95748032027b442f316dbc78a0ac441986535426", "type": "eql", - "version": 217 + "version": 216 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Potential Okta Credential Stuffing (Single Source)", "sha256": "c9bdd66f536436153709d92c363c2bfc9637912240daf7eb789913fb2a9f4efe", "type": "esql", - "version": 212 + "version": 211 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "e9260d441ee6bb2650fab753e31ab175e5b98418141b067ed6cd3a942bd81750", "type": "query", - "version": 111 + "version": 110 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "c0132ac1a7c0915024784aa3942547eb1ab31b0ca04f36d96800c8bd7ae1d279", "type": "query", - "version": 111 + "version": 110 }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { "rule_name": "D-Bus Service Created", "sha256": "a18c513e885014629b1256650fe3ded14d233dc2ed783efca6ecb4b8af1946fa", "type": "eql", - "version": 8 + "version": 7 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", "sha256": "d806114e9175121535a78373c2f4f747985e6a90c11f6e960c3370037b71e866", "type": "eql", - "version": 216 + "version": 215 }, "9550ec87-e73c-4baa-ad44-e448a33fbc3d": { "rule_name": "AWS EKS Access Entry Granted Cluster Admin Policy", "sha256": "652611a8d6d720fe183c23b189538c22c0965eadeff325253a214218fb49ca7a", "type": "query", - "version": 2 + "version": 1 }, "9563dace-5822-11f0-b1d3-f661ea17fbcd": { "rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client", "sha256": "4062c9fbacade77b466ba4c8c18199e74c0d56a88a9eeef6fdc5d2d4494315d7", "type": "new_terms", - "version": 6 + "version": 5 }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ac705fd1257ac37bcda167b715884142ebe726b87d21f9f82b2b0bbd48822ee4", "type": "query", - "version": 215 + "version": 214 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "81f5b2064e7de2bb721c91a9b87d91bb7c70f19839bc093e4bf47ee2544c3cae", + "sha256": "a266665d423c29eff07547ef4fd37eec7dc215b9f139f64484299c2a1bc49456", "type": "esql", - "version": 213 + "version": 211 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", "sha256": "7d65bad7fb01c9df8886dd57509eeb3dab22246cd5bdb3030a6770a70c26d822", "type": "new_terms", - "version": 9 + "version": 8 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "min_stack_version": "9.3", @@ -7558,67 +7521,67 @@ "rule_name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers", "sha256": "8731c52d5893d47420bbb5a3b0149d7db6bfb0f0bb7297e2fd1c7cbbb03a5f01", "type": "eql", - "version": 106 + "version": 105 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "rule_name": "File made Immutable by Chattr", "sha256": "f924c739edb9ebd321df9baebfbf20c658b48cffa6bc33e56a3061d08f2160d1", "type": "eql", - "version": 218 + "version": 217 }, "96b2a03e-003b-11f0-8541-f661ea17fbcd": { "rule_name": "AWS DynamoDB Scan by Unusual User", "sha256": "922c37a1cdb6f1cd90a88e213929b164bbb8346fecf5aaf2548d04f5c1200ffb", "type": "new_terms", - "version": 7 + "version": 6 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", "sha256": "6b1686cc7b6a837576f758cc91736ce0308787558a588f34d90d5cb568304455", "type": "query", - "version": 415 + "version": 414 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", "sha256": "fb6f0c3d4a4b1103cffd1214243faf16011837bf6185ed9dd364b4b00955967d", "type": "eql", - "version": 18 + "version": 17 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process", "sha256": "c279f98199a5b04feb2862a6366b838116076f27a12f928988e6fa4747284e71", "type": "eql", - "version": 213 + "version": 212 }, "96f29282-ffcc-4ce7-834b-b17aee905568": { "rule_name": "Potential Backdoor Execution Through PAM_EXEC", "sha256": "132131e91bb5571399245226355bb06a9e2707dbe7eebedaa18d51a965601746", "type": "eql", - "version": 5 + "version": 4 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "3f327621ed0547019a5b5d0a878ab68f39d8bea7a021464559cbccee95018f77", "type": "eql", - "version": 115 + "version": 114 }, "9705b458-689a-4ec6-afe8-b4648d090612": { "rule_name": "Unusual D-Bus Daemon Child Process", "sha256": "32963455b75df93504e8d1002eaa12a8821f55aa19be3c4fee1115dc42f8708c", "type": "eql", - "version": 7 + "version": 6 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "M365 Exchange Anti-Phish Rule Modification", "sha256": "5085f954d4ff259286c61446ad71512f3a21abc0c58e2e492aea0ccb050116d8", "type": "query", - "version": 213 + "version": 212 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "f2cc5c75a97f850533473a4b070a5de9e09cadd3e2d2ab3e3594bf7a4f0bd19c", "type": "query", - "version": 110 + "version": 109 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { "min_stack_version": "9.3", @@ -7634,19 +7597,19 @@ "rule_name": "DebugFS Execution Detected via Defend for Containers", "sha256": "cb201a9e31aa49674cb68601b095f1fe2812900a8e7b104b8e5a35913c4cd69c", "type": "eql", - "version": 105 + "version": 104 }, "976b2391-413f-4a94-acb4-7911f3803346": { "rule_name": "Unusual Process Spawned from Web Server Parent", - "sha256": "5194925ce4db32f868c73564de0e94c334165dfc31b40121db84172cc965cf6e", + "sha256": "5bf6380747f1cb95b184818ca866517ab8cd592d255de6dee340594eb30015d8", "type": "esql", - "version": 14 + "version": 12 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", "sha256": "101588c75ca495165b4a75b184b63ce8f2ecc204a09f8a1f687e32708adb06e5", "type": "query", - "version": 215 + "version": 214 }, "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": { "rule_name": "Potential HTTP Downgrade Attack", @@ -7658,13 +7621,13 @@ "rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications", "sha256": "a44033692c37bed24ce3925b6ca42e5bd9fb6b47ee30ff08d20220ff77e28f9c", "type": "eql", - "version": 420 + "version": 419 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", "sha256": "1a18715f4ab14be5a645089d5e96d2d98eaf64d7c8b4239d84d2d0c8b518fbfa", "type": "eql", - "version": 424 + "version": 423 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -7676,7 +7639,7 @@ "rule_name": "Suspicious Renaming of ESXI Files", "sha256": "34932396b727d338f36c36468067ccae5bda12c0704d2824ff90b34548bbe134", "type": "eql", - "version": 14 + "version": 13 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -7688,43 +7651,43 @@ "rule_name": "Startup or Run Key Registry Modification", "sha256": "d7a6f3d9e2ace9040d8e06757f2efc2c06486ff524feba35e5e3a743560622d6", "type": "eql", - "version": 121 + "version": 120 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "sha256": "dafbd42605333aa135c1efb0261e9eb5359dffe444e4979a8dea91630c9e80ff", "type": "eql", - "version": 10 + "version": 9 }, "9822c5a1-1494-42de-b197-487197bb540c": { "rule_name": "Git Hook Egress Network Connection", "sha256": "cc8a4cc0fb13f05a7da5ab6cfb6cd3695172d812a45c53e6a907e9695ba46683", "type": "eql", - "version": 8 + "version": 7 }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", "sha256": "d8b0db21eaf28b6c2ede7046c2a599db635f704533c740913838a7ef0b324a85", "type": "eql", - "version": 108 + "version": 107 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "1d8b7387ffc9ba14ad87292fe10c366ccadee0b56b8e0932723616aa4afb8154", "type": "eql", - "version": 108 + "version": 107 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "9e0d0436cb2a69e6b72f3dc82fd928e79dd5ee95eaf0a59877b5e93864791dc7", "type": "query", - "version": 110 + "version": 109 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "M365 Exchange Management Group Role Assigned", "sha256": "12f387e3566dfd84bdb25e5380d9df4277a814500ce2286d1b624994ca9552d8", "type": "query", - "version": 214 + "version": 213 }, "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": { "min_stack_version": "9.3", @@ -7740,20 +7703,20 @@ "rule_name": "Kubectl Configuration Discovery", "sha256": "33897dd8a858f989c8a73f3f64ff7d370670cc9d413c2f2b022a4b1ef3ca0e10", "type": "eql", - "version": 104 + "version": 103 }, "98cfaa44-83f0-4aba-90c4-363fb9d51a75": { "min_stack_version": "9.2", "rule_name": "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts", - "sha256": "25ecd1343c0719865ac7ad139f4a588a1c388531d9f2d50601d454232eb6c6c9", + "sha256": "36a458a86040717891dffe0223608c244d185d931205bbeee4113444efced15a", "type": "esql", - "version": 4 + "version": 2 }, "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": { "rule_name": "M365 SharePoint Site Administrator Added", "sha256": "dd4667aa3346d5aaf3c34b89d393074ecf11bf0188f022df8a39f52ad5c089a9", "type": "query", - "version": 3 + "version": 2 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "Deprecated - AWS EC2 Snapshot Activity", @@ -7771,43 +7734,43 @@ "rule_name": "Suspicious Installer Package Spawns Network Event", "sha256": "10b68299303c79e2f3f73069791e5403b756335bc4d4d502987b6d7352fd276b", "type": "eql", - "version": 114 + "version": 113 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "e6d17410dec032b711ab184de223d6a66583d99ce4761d37339a5dfddd2d61d4", "type": "eql", - "version": 117 + "version": 116 }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "97c6179e37d6a79ce2058fadfe181ef06473676782811c2c2c42619d9ef9d70f", "type": "eql", - "version": 315 + "version": 314 }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { "rule_name": "Access Control List Modification via setfacl", "sha256": "14fa79860f040a253d5c11c72158206f1e5d8427bf093ceea28e56c485e5deb0", "type": "eql", - "version": 108 + "version": 107 }, "99ac5005-8a9e-4625-a0af-5f7bb447204b": { "rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query", "sha256": "a2d97fff1bd846c160d0686891ff780be940567b549646c42ea3501261c01f27", "type": "eql", - "version": 4 + "version": 3 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "rule_name": "Web Server Spawned via Python", "sha256": "310b1e61d9b41741178106b8ba4ed0c827b48f8a08a902c110a7820c4292770e", "type": "eql", - "version": 107 + "version": 106 }, "99c9af5a-67cf-11f0-b69e-f661ea17fbcd": { "rule_name": "Potential VIEWSTATE RCE Attempt on SharePoint/IIS", "sha256": "bb8b21db9e5d74586d51fb821124a37c98917348d26a72bccecddea93d210c28", "type": "query", - "version": 2 + "version": 1 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "9.4", @@ -7823,31 +7786,31 @@ "rule_name": "Spike in Failed Logon Events", "sha256": "6c2a61bfd4d95da96708ad6dd4ffad62c9111f9ab7950b025deef83d487990df", "type": "machine_learning", - "version": 209 + "version": 208 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security (Elastic Defend)", "sha256": "9a34f25056907f42962de240e218fc715885d5e29636b34368c1b817e89a3e25", "type": "query", - "version": 109 + "version": 108 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "rule_name": "Unsigned BITS Service Client Process", "sha256": "e5e1fcb9ece7005ef0bf2067c7f44e12d243276d89aa4b0a9100bfab5196ca5c", "type": "eql", - "version": 6 + "version": 5 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "rule_name": "Potential Shadow File Read via Command Line Utilities", "sha256": "e8efbccb131f12cbf2af6152d092d09160eccb18d0bf83fc5d299a3bb5ed419a", "type": "new_terms", - "version": 214 + "version": 213 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", "sha256": "df0048d2667b6c222cfdce393bfaed7e9c0b0ff9f393e1e2179394241e1acdf9", "type": "eql", - "version": 316 + "version": 315 }, "9a6f5d74-c7e7-4a8b-945e-462c102daee4": { "min_stack_version": "9.3", @@ -7863,85 +7826,85 @@ "rule_name": "Kubeconfig File Discovery", "sha256": "952491df2d553d81ac6123388594fb05d3495f6ad8592f77c734e2f8c1ec0938", "type": "eql", - "version": 105 + "version": 104 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "3810a0fccc9e811440eae244a951df04360e69e721dfcf8f30aa58e24469f983", "type": "eql", - "version": 317 + "version": 316 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", "sha256": "da64cc799df3d7b93ccb5ae04e3e099d02a697837a05f18e35f295b53e2747fb", "type": "eql", - "version": 11 + "version": 10 }, "9aeca498-1e3d-4496-9e12-6ef40047eb23": { "rule_name": "Suspicious Shell Execution via Velociraptor", "sha256": "6b99269e68808661c7b097b7da16cf8d7325e44f45bb3d3d2420dc40f42bcdd8", "type": "eql", - "version": 5 + "version": 4 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", "sha256": "8c4046c8e10aa286e834471735eccdfa372b1419bfbe3dfca6713b231951221e", "type": "eql", - "version": 212 + "version": 211 }, "9b35422b-9102-45a9-8610-2e0c22281c55": { "rule_name": "SentinelOne Alert External Alerts", "sha256": "68730c7058c78efbdb1fa839ed203894407fe046b9db371d79697927d04df699", "type": "query", - "version": 2 + "version": 1 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", "sha256": "374c1fe670e524331c98bbb4ec7592c692b262eb48d79de575d8a792ab4a3eb2", "type": "eql", - "version": 320 + "version": 319 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", "sha256": "08b7cbc1fe957a8e96b47412dde3a48dee6dd1c2196e026c8300003adc915044", "type": "eql", - "version": 11 + "version": 10 }, "9c0f61fa-abf4-4b11-8d9d-5978c09182dd": { "rule_name": "Potential Command Shell via NetCat", "sha256": "fe7066cb047e8fcd01978d0b3fa2b4907279ea0c61582379577178729366bd78", "type": "eql", - "version": 4 + "version": 3 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", "sha256": "2a3d34af24f45fc01ea0f0bcd3ba685e5a5caa3780e1818985ea77f40f1e9ffc", "type": "eql", - "version": 215 + "version": 214 }, "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { "rule_name": "Unusual Interactive Shell Launched from System User", "sha256": "9ece81aaee4ed5b034cf8a085367eaccce1145402d65119600ff18fed390a0d4", "type": "new_terms", - "version": 7 + "version": 6 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "19de9f9fc0e3eecf2d6c781ee13ed518693898c4ae017773ae00935a3c0461b8", "type": "eql", - "version": 116 + "version": 115 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", "sha256": "0c85320dda4c263897f73786db5f64709cee15a949bdeb737af5e0699732c8d8", "type": "eql", - "version": 8 + "version": 7 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "b196224da05961cc60a8e23ab01d266096b0a93b7052944f664f549754b8f810", "type": "eql", - "version": 316 + "version": 315 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "rule_name": "Google Workspace User Group Access Modified to Allow External Access", @@ -7959,37 +7922,37 @@ "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "81212b96cde03acf5a34ba614c8863dcc6824d7342a7a9bb0de627b78ae23a56", "type": "new_terms", - "version": 319 + "version": 318 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "a5a2120ba773b49b0c59e22922b4d05a1af99a127f4a6bdf1f9aee20e15bedcf", "type": "eql", - "version": 320 + "version": 319 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "c7e89da2a2aa3a6c364cad023a1d462109ad48931c034f3dbd9796b13a413f5a", "type": "eql", - "version": 221 + "version": 220 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "0982e8339b388a70826a63e397b5e247bacd15c4aa96fa2be11d965afd150e48", "type": "eql", - "version": 215 + "version": 214 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "42048d40cc9b676d20a7f287ad562321f8a39036183d95d04b769aebead1de85", "type": "new_terms", - "version": 322 + "version": 321 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "934d4f4f579d6487e86d38b573a7fedca4169097d8914b5859aedc7ba96931f5", "type": "eql", - "version": 213 + "version": 212 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading", @@ -8011,172 +7974,172 @@ "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "f8d8912ae2d8039dc804a4fb2851251923c29ebace475dcf20f4bd3b87bcc4fa", "type": "machine_learning", - "version": 208 + "version": 207 }, "9d312839-339a-4e10-af2e-a49b15b15d13": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Common Utilities", "sha256": "d0d094b1f3d2824d3f539e132c5573e5b8d9e94f113705086cb90fc35438b8dc", "type": "eql", - "version": 4 + "version": 3 }, "9d94d61b-9476-41ff-a8d3-3d24b4bb8158": { "min_stack_version": "9.3", "rule_name": "Tunneling and/or Port Forwarding Detected via Defend for Containers", "sha256": "f8be6f477a2da1a7d940956c6dbc04076b17f5ab491021aaa8b623554c49eae5", "type": "eql", - "version": 3 + "version": 2 }, "9e11faee-fddb-11ef-8257-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Authentication Type", "sha256": "c99ca37b4a4b58fb57cfc77836e72bbe603e86068b3ea86669df86ac64e69d76", "type": "new_terms", - "version": 9 + "version": 8 }, "9e5dbd3b-5e19-4648-a1cf-c2649c91b015": { "min_stack_version": "9.3", "rule_name": "Namespace Manipulation Using Unshare in a Container", "sha256": "e432f9cf681f15c99f6ef764b574776af1db178c2e2367382ffb482750acf8f5", "type": "eql", - "version": 2 + "version": 1 }, "9e81b1fd-e9fb-49a7-8ebe-0d1a14090142": { "rule_name": "Potential Password Spraying Attack via SSH", - "sha256": "1539ca39127ce11bc3543aebcf5edbec20da6b9993011e23dc0e2dd1709d95c6", + "sha256": "3cbe10aca00d7c1efe266e506d7f5a7d57600ad6207ecce6d61f2bb650737630", "type": "esql", - "version": 5 + "version": 3 }, "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": { "rule_name": "Potential SSH Password Grabbing via strace", "sha256": "c9bef573b3f690c4d008b46914f0168b42c2944eb1945c737c89d8a76e6f4aa4", "type": "eql", - "version": 4 + "version": 3 }, "9ebd48ac-a0e2-430a-a219-fe072a50146b": { "rule_name": "AWS CloudTrail Log Evasion", "sha256": "b08fe11bdf17d81c9516472a841db7993c175996a06773032ef7b92282f89ebc", "type": "query", - "version": 4 + "version": 3 }, "9ed5d08f-aad6-4c03-838c-d686da887c2c": { "rule_name": "Okta AiTM Session Cookie Replay", "sha256": "39164513ba294600eae6f1e6a7d5ac56cf28a69c5d48983ffe6a3f7ce5639f99", "type": "esql", - "version": 4 + "version": 3 }, "9edd000e-cbd1-4d6a-be72-2197b5625a05": { "rule_name": "Suricata and Elastic Defend Network Correlation", "sha256": "2ab8e7a7800653b9e37968900393df0f9f2f5d33441573121f0280acbe34c2cd", "type": "eql", - "version": 5 + "version": 4 }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", "sha256": "b33c684120dc6f9e6274cf518cc990c7730ed0e47045a4cb79d4cf11bb098b76", "type": "esql", - "version": 11 + "version": 10 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", "sha256": "22b08b978d2a7ffdaf6487814a21eac8a8b3882f05c0c72938e5ada70b2f223d", "type": "eql", - "version": 10 + "version": 9 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", "sha256": "de326157f887fe153178406c21d4c6d5b7083d7b37989d95fbe88cc3b47cf107", "type": "eql", - "version": 217 + "version": 216 }, "9f420cca-cb27-44db-a13d-c43c7b48e04a": { "rule_name": "Kubelet API Connection Attempt to Internal IP", "sha256": "cca84cb2c6da4a05157e5d1e018a7bbe95a35bd604d0a3b76740a644e6330382", "type": "eql", - "version": 2 + "version": 1 }, "9f432a8b-9588-4550-838e-1f77285580d3": { "rule_name": "Dynamic IEX Reconstruction via Method String Access", "sha256": "a51bf01a5df76390c908b50a4a9b7c3fb2cdad0ed9c8e0c55d50b16b67c240d7", "type": "esql", - "version": 13 + "version": 12 }, "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f": { "rule_name": "AWS IAM Long-Term Access Key First Seen from Source IP", "sha256": "427dd26601fe597a174af7d832b94eb1a8f5786d002b426dd2946745d63601c8", "type": "new_terms", - "version": 3 + "version": 2 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", "sha256": "9c42ae537b615ded60d491c0690bcaa728c5fe70c54e4d67b5d0a21a63b88776", "type": "new_terms", - "version": 222 + "version": 221 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", "sha256": "d93040becd8bbf8f42f58453634aae7a7ea3e2544497b11c5ebe435f07c4b01b", "type": "new_terms", - "version": 217 + "version": 216 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "8795f294df2824f66b4130cdff5d174717d9981c7dd6f859e37bbcb28b3c398b", "type": "new_terms", - "version": 320 + "version": 319 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "rule_name": "Unusual Scheduled Task Update", "sha256": "c67025ab0d89afff2e717de898cb55d5689c8aad67826167a03b0cd4c9bc284b", "type": "new_terms", - "version": 119 + "version": 118 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", "sha256": "e33dee9e1e0472fe7b4bb95a33a85484750138d145fa1fd68bad0ec533d1e2db", "type": "eql", - "version": 10 + "version": 9 }, "a0fbd7a9-1923-4e05-92df-b484168f17bc": { "rule_name": "Sensitive File Access followed by Compression", "sha256": "4229ab56c54c29e2fee1021f6509406944d50803d252c497dd310d99fed68335", "type": "eql", - "version": 3 + "version": 2 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "b7563d73159d22dee91b57c70d5c21d5a8a4e1bda6dac44d4d928cd855957b07", "type": "query", - "version": 111 + "version": 110 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", "sha256": "e62636c003eda020e0336d2bf353771df79401bc70067f267bf5059c2bce00dc", "type": "eql", - "version": 213 + "version": 212 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", "sha256": "5efdf2a253cb05a0a0e2d843c94d7196d97edc860d48285c4275b8aa17f1887f", "type": "eql", - "version": 217 + "version": 216 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "253c914e9293edebec6c7faf581b9cef1faa6bab72fc5ae1ce5284af5d7a0a04", "type": "eql", - "version": 214 + "version": 213 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "015324413a84362600add02b8df771116af2de4f119d3868ab9425704251e0d8", "type": "eql", - "version": 216 + "version": 215 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "5c9184b7bbce98b4980ceaaf2d6c8d70b16c21ace2d1ecb51d7c6cfb7050a0dc", "type": "query", - "version": 110 + "version": 109 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", @@ -8188,85 +8151,85 @@ "rule_name": "Potential Reverse Shell Activity via Terminal", "sha256": "1933279eb0a1f69eecd6e4e705790232b200372e83e832ecfb52e1319e301f5e", "type": "eql", - "version": 113 + "version": 112 }, "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d": { "rule_name": "Azure Storage Account Deletion by Unusual User", "sha256": "352c5821d7eca95826730550a43559e960148a7696f8b66ee023fbedc192978c", "type": "new_terms", - "version": 3 + "version": 2 }, "a1b2c3d4-e5f6-4789-a0b1-c2d3e4f5a6b7": { "rule_name": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity", "sha256": "c3bf694ddbb0183b499e816bed860e55e57086d6f8bee87f6eead524f76a96ff", "type": "esql", - "version": 2 + "version": 1 }, "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": { "rule_name": "Potential Account Takeover - Logon from New Source IP", "sha256": "3eb049e7a57e256acae41fb8b3da9603ace0b0d8167ea059564a83f64cc7a5b2", "type": "esql", - "version": 4 + "version": 3 }, "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": { "rule_name": "Entra ID Protection Admin Confirmed Compromise", "sha256": "54a26dec737e913d13398210e60b5e0765bc4f57976293f5c9666910f23ef99a", "type": "query", - "version": 4 + "version": 3 }, "a1b2c3d4-e5f6-7890-abcd-ef1234567890": { "rule_name": "GenAI Process Connection to Suspicious Top Level Domain", "sha256": "c597b499c50eebdee9b57239e803b09995c9099b189f7337ed6bc1c272e861ea", "type": "eql", - "version": 2 + "version": 1 }, "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": { "rule_name": "Web Server Suspicious User Agent Requests", - "sha256": "a833ee4b7c19641ca3daf264579b87d14ec90f03abffd847f896dfa9a226465c", + "sha256": "f069dfa7e85bd95eea645793c221cb5329e75544f6b1b6646cc55a104a95ee7f", "type": "esql", - "version": 7 + "version": 5 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", "sha256": "d0040002c9b7c60e5e303893dd4a5ca29f8df89596c3191f76c6af9d7d2eaf06", "type": "eql", - "version": 12 + "version": 11 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "1094a50c56d7017e3b7cacacb46da4f3f742a1927fcbbd986b23e9f2cb7b8632", "type": "eql", - "version": 318 + "version": 317 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", "sha256": "8ee49a67c0bedcc25c790e6d57a0835f5748dc89b35eb4dd6c0736231edeace1", "type": "new_terms", - "version": 7 + "version": 6 }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", "sha256": "6935a7b9fd5f67e312b06f45233bc7e9e6e832dc3f93a9c0b1f84cb7624bb384", "type": "new_terms", - "version": 9 + "version": 8 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", "sha256": "8ffc100a7b1d4ce6518d28c266f7b80ca1898c4505645909bdfea0f8f22ac297", "type": "query", - "version": 113 + "version": 112 }, "a2951930-dd35-438c-b10e-1bbdc5881cb4": { "rule_name": "Kubernetes Cluster-Admin Role Binding Created", "sha256": "e69d0cfdb03d64b04b04b0301086a748d32f13d2f828a3b71177061780ee9f68", "type": "query", - "version": 3 + "version": 2 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "rule_name": "PowerShell Mailbox Collection Script", "sha256": "55d54469459e3e10c63d48e5b841cec3199fb5050e041092c06301b26217a960", "type": "query", - "version": 114 + "version": 113 }, "a300dea6-e228-40e1-9123-a339e207378b": { "min_stack_version": "9.4", @@ -8282,31 +8245,31 @@ "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", "sha256": "a296f2e27d0d4e3f4f6c7ab90fc49f8f4a0b4c14d49775288666a234e4b403b2", "type": "machine_learning", - "version": 105 + "version": 104 }, "a337c3f8-e264-4eb4-9998-22669ca52791": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected", "sha256": "c842a49d9921b27647b6349ad118e5d70cd985461f2b819bf9fa5f5a4a11bae3", "type": "esql", - "version": 3 + "version": 2 }, "a3cc60d8-2701-11f0-accf-f661ea17fbcd": { "rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client", "sha256": "38c9a1b455477aee830f90a89dae1d703f545c3d857cf4262153a23b2e0c80ba", "type": "new_terms", - "version": 7 + "version": 6 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", "sha256": "45e496a5db75cfaeacfff862a81984feb874e83dda47302b806b3018d6b902b8", "type": "eql", - "version": 316 + "version": 315 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", "sha256": "7f99f097bb57ddc1941d88331bcbee883d0ab39981bc2f9b36b90e3de2a4f6ed", "type": "eql", - "version": 5 + "version": 4 }, "a4b740e4-be17-4048-9aa4-1e6f42b455b1": { "min_stack_version": "9.4", @@ -8322,19 +8285,19 @@ "rule_name": "Spike in GCP Audit Failed Messages", "sha256": "0293cbc3c1b896acdee5fb53bfe925958fc9d5ec773806a13d9e468e89a65005", "type": "machine_learning", - "version": 102 + "version": 101 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "494c2ead2012b6ac1746c05e790ae1b33e01a2c4944d8d5ceea9b180635be2eb", "type": "eql", - "version": 115 + "version": 114 }, "a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a": { "rule_name": "Kubernetes Secret get or list with Suspicious User Agent", "sha256": "e46a2fbbff2a97fc224bcfc204b6da19f6797f396c7f45d04837c9c0e237ffc6", "type": "query", - "version": 2 + "version": 1 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -8346,7 +8309,7 @@ "rule_name": "Suspicious SolarWinds Web Help Desk Java Module Load or Child Process", "sha256": "76d59e79f3babe6154c71460acf4fda53d270601b8e4aef05258ca8d78e64833", "type": "eql", - "version": 4 + "version": 3 }, "a52a9439-d52c-401c-be37-2785235c6547": { "min_stack_version": "9.3", @@ -8362,7 +8325,7 @@ "rule_name": "Netcat File Transfer or Listener Detected via Defend for Containers", "sha256": "7e3bfec1c4781db2d7417c710ec2883216a3b33ff5bfd0292f1c72cf76b48f18", "type": "eql", - "version": 106 + "version": 105 }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary", @@ -8374,7 +8337,7 @@ "rule_name": "Potential Reverse Shell via UDP", "sha256": "682586bdb044ed6ab9f2d86aa3803980638ce1756f871292eca8c0f20adae25e", "type": "eql", - "version": 13 + "version": 12 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -8396,19 +8359,19 @@ "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "527325250cfdd394de8beb2562d3f3d0b44210d85cdfb77b26cfbcbb2c56a852", "type": "new_terms", - "version": 318 + "version": 317 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Entra ID PowerShell Sign-in", "sha256": "5d891782faacde7c072c3f8e3819b0e10c0932cbea16e27587b86081ee4e243e", "type": "query", - "version": 111 + "version": 110 }, "a6129187-c47b-48ab-a412-67a44836d918": { "rule_name": "M365 Azure Monitor Alert Email with Financial or Billing Theme", "sha256": "34085bc10fd883d07e4593354c15c2b5a740f637f8f8a0dac8b18c02556d89dc", "type": "esql", - "version": 3 + "version": 2 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", @@ -8420,49 +8383,49 @@ "rule_name": "Suspicious MS Office Child Process", "sha256": "61beceda1e8d0cc9099934a9ad0a0bcae06126b1650941b03a8b4e36c8c1f191", "type": "eql", - "version": 321 + "version": 320 }, "a640ef5b-e1da-4b17-8391-468fdbd1b517": { "rule_name": "Execution via GitHub Actions Runner", "sha256": "ea34a8cd8b428ffac29baa616dc58a516e9d24a3ae30c3525c5fdf5478d1bc34", "type": "eql", - "version": 4 + "version": 3 }, "a643e6b8-ba2a-45f1-8d71-d265bfe2ae43": { "rule_name": "Kubernetes CoreDNS or Kube-DNS Configuration Modified", "sha256": "f9ac0a1ac302dd70ac23d1538d11ac1c49b802df8e0e9d47ce6c2e8c10627cb7", "type": "query", - "version": 2 + "version": 1 }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", "sha256": "6ce6628461a895263040879ad1dfccf958216ebc96b9c795d5b3ce688836c641", "type": "eql", - "version": 8 + "version": 7 }, "a68da7d6-7eab-45bd-97c5-93b469c0706e": { "rule_name": "Shell History Clearing via Environment Variables", "sha256": "947c4f4f578b77ec8de5b9313a87559740ab6d5272631cd859175d57e2c06c80", "type": "eql", - "version": 2 + "version": 1 }, "a698a653-e144-4e40-bade-35135935be45": { "rule_name": "Kubernetes Static Pod Manifest File Access", "sha256": "431eacdea1a3b80fdcde70fa178d5c24b34efa54a40431c2e2192ee86222d548", "type": "query", - "version": 2 + "version": 1 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", "sha256": "0aef85561df73b765eb845f8de00dd44020df10da07314fb87273d339f48199e", "type": "eql", - "version": 114 + "version": 113 }, "a6d4e070-b9b9-4294-b028-d9e21ad47413": { "rule_name": "Entra ID Protection User Alert and Device Registration", "sha256": "310fb191964cd8a1481bfde5eabce117f3b6e1f1134007c7bb846f0d233c50c7", "type": "eql", - "version": 5 + "version": 4 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "min_stack_version": "9.4", @@ -8478,125 +8441,125 @@ "rule_name": "High Mean of RDP Session Duration", "sha256": "0cf7caa172c255e31f5dcf206ca1101b180773c822559efef5ad87fde3d2d054", "type": "machine_learning", - "version": 110 + "version": 109 }, "a750bbcc-863f-41ef-9924-fd8224e23694": { "min_stack_version": "9.3", "rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers", "sha256": "31e7a49e77598252a554c7de32610e73a9bcd249edd8f11c4d792f3e14f2916d", "type": "eql", - "version": 4 + "version": 3 }, "a7577205-88a1-4a08-85d4-7b72a9a2e969": { "min_stack_version": "9.2", "rule_name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal", - "sha256": "286a9fdb00de50fa7f9737c72f2b6e1017d20eaa821798e5b202732ffb6ed218", + "sha256": "b08945299b2979bc5b4cb397789d41998ee6fc5b71db51bfe41012ad68ba8e2b", "type": "esql", - "version": 5 + "version": 3 }, "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "rule_name": "Execution via OpenClaw Agent", "sha256": "a9fb3ddbff42c0d57d6e0002f0d6155ea00cf381999b2af63577940aa8776c47", "type": "eql", - "version": 5 + "version": 4 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "9a80dda429d15a1d127b965b832c36ae3ecc37b8d11e618da12fd5c3d7c2d9db", "type": "eql", - "version": 119 + "version": 118 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "09188e85df6c935a817c69aff47b5bb33c503487e0fb04907d556b52211719f9", "type": "eql", - "version": 318 + "version": 317 }, "a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": { "rule_name": "M365 Purview Security Compliance Signal", "sha256": "d963fc1b077051067a8bc042f00ec72e4f00312ac6bc459bfacda7b80c2b9ec4", "type": "query", - "version": 2 + "version": 1 }, "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": { "rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User", "sha256": "26c16152fd28558423e9c60d5393ad5482ec38ef5492aeb15ecfb8587231fddc", "type": "eql", - "version": 4 + "version": 3 }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", "sha256": "a43c4cce90f10259b7f083ff5adbd8eca3f9cc3b122406f30ace77a409419d1b", "type": "new_terms", - "version": 8 + "version": 7 }, "a80ffc40-a256-475a-a86a-74361930cdb1": { "rule_name": "AWS IAM SAML Provider Created", "sha256": "8d2440f5b8111e88075595c64071b426a241d0e78819f05d6c66caeca7046f04", "type": "query", - "version": 4 + "version": 3 }, "a8256685-9736-465b-b159-f25a172d08e8": { "rule_name": "Suspicious Curl to Jamf Endpoint", "sha256": "c823ebf0672517c8ed1929f4379c1fac131417b4c0dca9ef94e1dea1560ad82a", "type": "eql", - "version": 3 + "version": 2 }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker", "sha256": "84fcc460d0f329b6494b2756d4cb004798d5c54d8f76ee6b19ac2b149fc59a3a", "type": "query", - "version": 9 + "version": 8 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "5477bb1770d6318e393bcc2afa8bb0beb8c77aa1af475f245c7cb193b9f51338", "type": "query", - "version": 106 + "version": 105 }, "a87d49f0-24ae-4d6e-a0b4-5fd2f6188d6a": { "min_stack_version": "9.3", "rule_name": "Kubectl Secrets Enumeration Across All Namespaces", "sha256": "c380ca5eff3db9572f02a9c429106de2ea18f096aa7e9f0b4a7d3bcfd1d5e7b6", "type": "eql", - "version": 3 + "version": 2 }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { "rule_name": "Authentication via Unusual PAM Grantor", "sha256": "f46594fa786a8d96dc492f49de6a09e7c4bf69b2f8f6bba7fc371fe01c0140c3", "type": "new_terms", - "version": 7 + "version": 6 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", "sha256": "b083c7c924a0947dc0048039147a36632af5a70ced0a58b91f8d089faa8cf44f", "type": "eql", - "version": 10 + "version": 9 }, "a8b08d2d-6dfe-453f-87d1-11d5fc3ec746": { "min_stack_version": "9.3", "rule_name": "File Download Detected via Defend for Containers", "sha256": "dd24216e43c8d2d97f235518778ef26185e2277d713a56fc385c92a5ed05305b", "type": "eql", - "version": 4 + "version": 3 }, "a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": { "rule_name": "Newly Observed ScreenConnect Host Server", - "sha256": "901d5325cdc68d1b37b24db1c28a0f7dcfcf2f864f57b82f4daa589f16989ef5", + "sha256": "42aea7c755e89c2bd3dc07f143d1900120f97192aa9e1d3400c34f98c42e26eb", "type": "esql", - "version": 5 + "version": 3 }, "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { "rule_name": "Azure Storage Blob Retrieval via AzCopy", "sha256": "4cafd5b1d72e9099750d39514142a06221336044dc6ab66d5df8acf39358c552", "type": "new_terms", - "version": 4 + "version": 3 }, "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": { "rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand", "sha256": "55145a5b782b65b05f5834f544ec591950f607a59669ef53b3cf1cd0dfce7950", "type": "esql", - "version": 5 + "version": 4 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "min_stack_version": "9.4", @@ -8612,19 +8575,19 @@ "rule_name": "High Variance in RDP Session Duration", "sha256": "3f9e29581657650330798e93e0d4b843c0de67a256b30133da018e49aca461f2", "type": "machine_learning", - "version": 110 + "version": 109 }, "a8e7d6c5-b4a3-2918-0f9e-8d7c6b5a4032": { "rule_name": "Kubernetes Pod Exec Cloud Instance Metadata Access", "sha256": "19051cb2a65f548b54771af0f577af7e2eb44f76107957bf272b6015313fe25b", "type": "esql", - "version": 2 + "version": 1 }, "a8f3c2e1-4d5b-4e6f-8a9b-0c1d2e3f4a5b": { "rule_name": "AWS IAM Sensitive Operations via Lambda Execution Role", "sha256": "722248fbd97f34880ac46f44b6881220135ab96b0ffbff1f45977226ab809dde", "type": "query", - "version": 2 + "version": 1 }, "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { "min_stack_version": "9.4", @@ -8640,13 +8603,13 @@ "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", "sha256": "8a3a0a541278d7abc6675acd56413d6d3ec869a0bebfb0ef0bbb8f846c5adfc5", "type": "machine_learning", - "version": 105 + "version": 104 }, "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": { "rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt", "sha256": "a60f77fb20413deff742fb48c1ef902bdd8a712ed6eacc619eceaf824f93bfbe", "type": "eql", - "version": 2 + "version": 1 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -8658,31 +8621,31 @@ "rule_name": "M365 Exchange Email Safe Link Policy Disabled", "sha256": "6b995af6f7a66f483caeb7f4b0ed5e4fbce766890078ac36b73135b287bebc97", "type": "query", - "version": 214 + "version": 213 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", "sha256": "ab5be5778aeb2192c5a6b094c17c63ba6bec949da499eff193f5208975a9bf86", "type": "query", - "version": 211 + "version": 210 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "968e5d19c19da327582404a25be9dadac756379a58bb515651ea70f93c0059c5", "type": "eql", - "version": 217 + "version": 216 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "165337503847ed379edc1c1e54e7503406682e6849717aa2668355066215f1c6", "type": "query", - "version": 111 + "version": 110 }, "aa1e007a-2997-4247-b048-dd9344742560": { "rule_name": "Script Interpreter Connection to Non-Standard Port", "sha256": "e45fd015a2a23f9dae370bf76c6835579ef979403f82f2256fcf2c71dadae0e8", "type": "eql", - "version": 3 + "version": 2 }, "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": { "min_stack_version": "9.4", @@ -8698,31 +8661,31 @@ "rule_name": "Spike in Group Lifecycle Change Events", "sha256": "65061d6e84d85ff3f20ca8420b9fb9f8bad47f3264055c2fd6c4347a74673750", "type": "machine_learning", - "version": 105 + "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", "sha256": "08a46011d52f72f80b008709b145d97420698886ef6cd771ecba32a0ed3ac316", "type": "query", - "version": 110 + "version": 109 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", "sha256": "7633b03ab034572bab063198511ae4e111488b09f58f32812662c42da32b9762", "type": "eql", - "version": 219 + "version": 218 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", "sha256": "6044bf376ccf04ea41cce6830f9e16bb0e4e844f7476ebbddb782cf23d5f3dc4", "type": "eql", - "version": 219 + "version": 218 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "rule_name": "Veeam Backup Library Loaded by Unusual Process", "sha256": "40212eadfc73ddc6d9f2fba89b444a4f0646b6c991c6f16e3b33e61216bb6cda", "type": "eql", - "version": 7 + "version": 6 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", @@ -8734,43 +8697,43 @@ "rule_name": "GRUB Configuration Generation through Built-in Utilities", "sha256": "27610c9d7787e7f52bb7ead9aef37e9fb044dd6430bbe3d6769401682fde8596", "type": "eql", - "version": 7 + "version": 6 }, "ab25369e-ea5e-46f1-9cd5-478a0a4a131a": { "rule_name": "Multiple Elastic Defend Alerts by Agent", - "sha256": "ca121c6714b6416e730ad49c7313f25c4b680f8b38b6332271edb1a8590278c9", + "sha256": "ca36982b65f983afbd58ef8087bb1e67f1468ce5ff36888897cfda5e08b2e4f6", "type": "esql", - "version": 3 + "version": 2 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", "sha256": "800ec5ed633507891479b778135ca7c8a5269e65744649d1d8a0ea40408dc5d7", "type": "eql", - "version": 124 + "version": 123 }, "ab7795cc-0e0b-4f9d-a934-1f17a58f869a": { "rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)", "sha256": "9eb2c45dfa3291e5f9ceaf2caf261fbed05150c8688cdfc93f3c7731b5759f90", "type": "eql", - "version": 4 + "version": 3 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "f78746bec8d16f8e147c24b40af66562e1041ebecef503a061a778bfb53da5c7", + "sha256": "8ccdf67f1d4b379fa6cc68be39217c56969856cc4f90870f049c0942c6268d93", "type": "esql", - "version": 14 + "version": 12 }, "ab9a334a-f2c3-4f49-879f-480de71020d3": { "rule_name": "Unusual Library Load via Python", "sha256": "7a0ef5b6fa33fef315d70305319e2f28b52ecf4bcd373708a98ffb1312146928", "type": "eql", - "version": 3 + "version": 2 }, "aba3bc11-e02f-4a03-8889-d86ea1a44f76": { "rule_name": "Perl Outbound Network Connection", "sha256": "1199004d18d11cefa9e43650db5c565969e006d67b5da5d7cb5ec77c33114b01", "type": "eql", - "version": 3 + "version": 2 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "9.4", @@ -8786,49 +8749,49 @@ "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "9a73061513a45d35de86697c4b677a0b2e5dbc1f1d9a84b7f5d0d24234dda985", "type": "machine_learning", - "version": 311 + "version": 310 }, "abb7bc31-b865-4318-80a9-b9ee4edd57b6": { "rule_name": "Kubernetes API Request Impersonating Privileged Identity", "sha256": "47ddae266a654e4f71a1b66785569f16e1d60655d17563fb566a4b2b10259462", "type": "query", - "version": 2 + "version": 1 }, "abc7a2be-479e-428b-b0b3-1d22bda46dd9": { "rule_name": "Google Calendar C2 via Script Interpreter", "sha256": "cd3aac05b993742d0c467053b7548c79623f2da5a4d979c6abe448b797d3411c", "type": "eql", - "version": 3 + "version": 2 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", "sha256": "3458d345ab11b49c4e091f9cf2f1b6535e27e905407265f7ac9aef9dfb91564b", "type": "query", - "version": 113 + "version": 112 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", "sha256": "f72e495d77718926a77986259bf53a198b1fd96ed96ead06aa95fc1b3bb9cd6d", "type": "eql", - "version": 421 + "version": 420 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "rule_name": "Git Hook Created or Modified", "sha256": "d613f940d2dddc9dad9333b8188f60d43dc30443a11f82c3821da4d4ac7cf4f7", "type": "eql", - "version": 109 + "version": 108 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "rule_name": "Outlook Home Page Registry Modification", "sha256": "3453811ef45dfeac70ddf054126131c00f9dc9bc32ded269570d7ed0d3c660f1", "type": "eql", - "version": 210 + "version": 209 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "rule_name": "WPS Office Exploitation via DLL Hijack", "sha256": "cef314234586cf1545f7d707ad192fd03d3e953b281e604e680f99949ed7e97f", "type": "eql", - "version": 107 + "version": 106 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "9.4", @@ -8844,7 +8807,7 @@ "rule_name": "Unusual AWS Command for a User", "sha256": "39f69f2d45fbc7e8dc0ec930f3b66d28754b3502bea0b2b1b8d0a8b7a229d199", "type": "machine_learning", - "version": 314 + "version": 313 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server", @@ -8856,43 +8819,37 @@ "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "3f9b5483fae2eb0413c7c38ead3683419d62efc4ed179f45151f5383ccff6ef4", "type": "query", - "version": 217 + "version": 216 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", "sha256": "72223005ab05d709e4988e024d34920e78f0de89f73f36f865dace15179a2abc", "type": "query", - "version": 212 + "version": 211 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "5df363ed16d64f340d500cc7c16cf64ac44edbe112391910d8559bcf4cfeede5", "type": "eql", - "version": 112 + "version": 111 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential macOS SSH Brute Force Detected", "sha256": "2a62d8689df1b549f8a9709b36bddcac030fbf8715e6fe481ec8e8b5434ef6e8", "type": "threshold", - "version": 114 + "version": 113 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "6e6fcdde0fee19516c1e5836d84451a1720fa05f69d37486795cb309731a5d0f", "type": "eql", - "version": 316 - }, - "ad02da2f-443d-454c-a12e-d9e6c65831ff": { - "rule_name": "Suspicious Instance Metadata Service (IMDS) API Request", - "sha256": "6c885b8eac41827738f3fcbe182e4d52efd637f9afbb89701b80b0778c1b3a5a", - "type": "new_terms", - "version": 1 + "version": 315 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "b2f6c9bec79b6a35c9205b12fefba6eea6a3d58cc512e07f94ff0aedc61f79d0", "type": "eql", - "version": 318 + "version": 317 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -8904,13 +8861,13 @@ "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "c7bbefa6cd24512e29b52401dd4e13dae67b32db59c469837cc5157d7fb8f7ad", "type": "query", - "version": 211 + "version": 210 }, "ad5a3757-c872-4719-8c72-12d3f08db655": { "rule_name": "Openssl Client or Server Activity", "sha256": "8ee09f0722e3d4094b5116fcd3ccdf47c8466d3dedaf45a2bce8131e571a5590", "type": "eql", - "version": 109 + "version": 108 }, "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": { "min_stack_version": "9.4", @@ -8926,157 +8883,157 @@ "rule_name": "Decline in host-based traffic", "sha256": "a9db6c29e8b8c460f4f349d40a9db66f98d86d48043a2c992b7cb77ae0d82c0c", "type": "machine_learning", - "version": 106 + "version": 105 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "51d7f733e3374dcbe3976ae51a6bc313af267acc5db56d25e523260a910d942b", "type": "query", - "version": 218 + "version": 217 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "7e0e9edcd353321915ab04263138fc1a2c2cd6827c51ba0fe5874b5472b53d0f", "type": "eql", - "version": 112 + "version": 111 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "rule_name": "Suspicious APT Package Manager Execution", "sha256": "750bf0616ef3c52e7f9c6631ec3e3cfea69beba6673151f2e6c6e12bd6e124ca", "type": "eql", - "version": 112 + "version": 111 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "File Transfer or Listener Established via Netcat", "sha256": "9a8cd6f888fb568bcebde8a607523abff1e1b5f2093b48a188b2627cf7128d9f", "type": "eql", - "version": 217 + "version": 216 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", "sha256": "25f56d2f9491f0092ef37953f27c85ac8fb17360040a148f54492118de0a5e17", "type": "eql", - "version": 15 + "version": 14 }, "ae32268b-bfd0-4c35-b002-13461b5830ca": { "rule_name": "AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN", "sha256": "16982d441cf7c3bd9a76f4382a9c20f7c5a0b6c0d541357c5d9ee793ea06855f", "type": "query", - "version": 2 + "version": 1 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "rule_name": "Suspicious File Creation via Kworker", "sha256": "6e872d7e24f0c0631132efe9f516b618480f9f40705f831a449c368918b4bb77", "type": "eql", - "version": 112 + "version": 111 }, "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b": { "rule_name": "Suspicious React Server Child Process", "sha256": "8fc6e17b6f87f1749ad3b2ec19e38059ad1d2b55818befec965af351912cd17d", "type": "eql", - "version": 4 + "version": 3 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "883090677565ee7aa2d93b1e7f79a7aa9d9ea846e70568a4cba3893649ac00bd", "type": "eql", - "version": 212 + "version": 211 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created by Previously Unknown Process", "sha256": "178fb249bd43c2383b67d1411b9fb257d092c368cea0ac05d03be5b785d42606", "type": "new_terms", - "version": 16 + "version": 15 }, "aeebe561-c338-4118-9924-8cb4e478aa58": { "rule_name": "CrowdStrike External Alerts", "sha256": "037f1bbd2a34edbd83be30b5fe879ea4147544e216a7ecf2e0337b876b72ec45", "type": "query", - "version": 3 + "version": 2 }, "af1e36fe-0abd-4463-b5ec-4e276dec0b26": { "rule_name": "Linux Telegram API Request", "sha256": "0a3c43255d3c95aedd0f97b4e22701b135b6b447294478eeb2109f17a773414d", "type": "eql", - "version": 6 + "version": 5 }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "Entra ID OAuth Device Code Grant by Unusual User", "sha256": "4fc095fc9ea36c19a1fb10bbbbccdb154cdd62f352e4dae8ea2ae5159c322f82", "type": "new_terms", - "version": 11 + "version": 10 }, "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": { "rule_name": "Okta Alerts Following Unusual Proxy Authentication", "sha256": "654269218ea4d36e4c6c44c897f0d1045a8e3958ec8ada141505606d41445514", "type": "eql", - "version": 4 + "version": 3 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", "sha256": "7d10e6efd142a09f199ae3461997c14ec7ea789aa43adcd41b7177e7664189c9", "type": "eql", - "version": 11 + "version": 10 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Creation", "sha256": "29f6f4c86ee173e96f81e6df15192dbe3420e73d4bde62a8efc9a4a338676008", "type": "eql", - "version": 214 + "version": 213 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", "sha256": "c7ba64794076705bc9730b99d67877072cc6f9ae46d2bea1a55cc73dab2a3ebc", "type": "eql", - "version": 13 + "version": 12 }, "afdca1e0-0f8a-4fcf-9e1e-95e09791e3cd": { "rule_name": "Curl Execution via Shell Profile", "sha256": "90ee59b3a454a03021437f01fc2442fd3503fe941f69d4a9b7fda0d1ca4af237", "type": "eql", - "version": 3 + "version": 2 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", "sha256": "7f9907f21f21b24e6aac00e4e7706f5dbc9c8ab5891e9ece18d88f30aaec68da", "type": "eql", - "version": 12 + "version": 11 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", "sha256": "4fd7e132e755404d1ae3176095c943d11912cc430d74e29e24622bf7b9118cf2", "type": "eql", - "version": 111 + "version": 110 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", "sha256": "2de0c7e6afc5a090ed826fbef600250fcaf3386d0dea5229916795bef6153462", "type": "eql", - "version": 112 + "version": 111 }, "b0450411-46e5-46d2-9b35-8b5dd9ba763e": { "rule_name": "Potential Denial of Azure OpenAI ML Service", - "sha256": "c1ef34302dc9874b98d408675be77d3bbd72765a0566a6b19735cd3f44abfcf7", + "sha256": "d051b64ad0087c58738ea692d5e4f34df38958811cba31ac68d403b214bdfb77", "type": "esql", - "version": 7 + "version": 5 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "rule_name": "Netsh Helper DLL", "sha256": "b7f6e527b15faa58aea7339a5470321f39e1884c6936aae54c724743a99b9b66", "type": "eql", - "version": 209 + "version": 208 }, "b07f0fba-0a78-11f0-8311-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Web Service", "sha256": "8dee5585853fc2cc29d0a3fa86c34646de7bc439f3082c135445169f367d5ede", "type": "new_terms", - "version": 7 + "version": 6 }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", "sha256": "e448d9b59d2f49b4c015b5980d16a6a35c92a493127292ce515a5a6d268491f6", "type": "esql", - "version": 12 + "version": 11 }, "b11116fd-023c-4718-aeb8-fa9d283fc53b": { "min_stack_version": "9.3", @@ -9092,19 +9049,19 @@ "rule_name": "Kubeconfig File Creation or Modification", "sha256": "c170db655cc983bc2f7399ca8f83b883daa93945d755cb705d587cfed18454bf", "type": "eql", - "version": 105 + "version": 104 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { "rule_name": "Hidden Directory Creation via Unusual Parent", "sha256": "a716f97119f1a7d01b1d42ed01f50aa1449a2b0330b185499e04caa530245f62", "type": "eql", - "version": 107 + "version": 106 }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", - "sha256": "fe2dd63b825311ec149f4abbb7a2b4ac98755b8186de5519e40c46a42669e1c2", + "sha256": "e961ffee8a9b22251e73628ba1a1675421a7f04f8279b096b29fa3ec412f31c1", "type": "esql", - "version": 9 + "version": 7 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -9116,73 +9073,73 @@ "rule_name": "Potential Network Share Discovery", "sha256": "d7a2f1e37fdf49243ac43e4049ebc1395e41378971a27a1bbc4df975c9ac465a", "type": "eql", - "version": 111 + "version": 110 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", "sha256": "6f5749f79295a76dfb8b39ad7c7cd307890d4e6907b1978e040776de3c977e5b", "type": "machine_learning", - "version": 109 + "version": 108 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", "sha256": "9cbdcf3fafd22659be1b5e8eea827bb8893cc7512c49d88c46dd4cde92880ee2", "type": "eql", - "version": 219 + "version": 218 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion", "sha256": "34ec15b2762501830ba72e2159a10d9fa8710df212375f979160411eb08ffcb5", "type": "query", - "version": 214 + "version": 213 }, "b29b7652-219f-468b-aa1f-5da7bcc24b03": { "rule_name": "Potential Traffic Tunneling using QEMU", "sha256": "3bed4972669528914c4056e133fe899c9b4d6e66d957bce8d06c418ce3f1a32e", "type": "eql", - "version": 4 + "version": 3 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", "sha256": "df2d7525dd2d1f86cbcda0b5d9da2f2a62195e24e8a9a26ea63b47ecc7a2a7d4", "type": "eql", - "version": 215 + "version": 214 }, "b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": { "rule_name": "Azure Storage Account Deletions by User", "sha256": "9f4fc0bbadb6f42109d9f6264472caa5cfbd9ae6935c6b3e0a098c00ede91f06", "type": "threshold", - "version": 3 + "version": 2 }, "b2c3d4e5-f6a7-4890-b1c2-d3e4f5a60789": { "rule_name": "Kubernetes Pod Exec Sensitive File or Credential Path Access", "sha256": "06fbcbacaf9ae7b1d3578891aa86583861c48ccca12f5861d9996f25a84552a7", "type": "esql", - "version": 2 + "version": 1 }, "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": { "rule_name": "Potential Account Takeover - Mixed Logon Types", "sha256": "fec263f1a8e25a341fbc4d919058aefe36ed0aa33d27a7bef776cc039a301126", "type": "esql", - "version": 4 + "version": 3 }, "b2c3d4e5-f6a7-8901-bcde-f123456789ab": { "rule_name": "GenAI Process Compiling or Generating Executables", "sha256": "fcd00363e060ee80ac289741c1c9004fa4bbe11c759b50769070b13d5466008b", "type": "eql", - "version": 4 + "version": 3 }, "b2c3d4e5-f6a7-8901-bcde-f23456789012": { "rule_name": "GenAI or MCP Server Child Process Execution", "sha256": "26ee62ae8a201d334f1e43011a5acaa008ecb5e19c928b921faa25e0d95582b0", "type": "eql", - "version": 4 + "version": 3 }, "b2f8c4e1-6a73-4f1e-9c2d-8e5b0a1d3f7c": { "rule_name": "AWS EC2 Role GetCallerIdentity from New Source AS Organization", "sha256": "24583dae8dc1aba73158f2983e7c0a370cbddc64cdf80ad1a3ed2b84d9ea8870", "type": "new_terms", - "version": 2 + "version": 1 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "9.4", @@ -9198,74 +9155,74 @@ "rule_name": "Unusual Linux Username", "sha256": "a673ca8052fc4de0d8f2386e8976429868d4129e24c96fe5d0352c5de423237f", "type": "machine_learning", - "version": 208 + "version": 207 }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", "sha256": "ba3d38a0e3792f9fc94cbca598270b727fea2afd947bc1a201a93fd18ce7746b", "type": "eql", - "version": 10 + "version": 9 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "378bd1d2c1a58cde20ec32623670281d8a2167d171f8bfd09ec3a767c466ab03", "type": "eql", - "version": 323 + "version": 322 }, "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": { "rule_name": "Suspicious Python Shell Command Execution", - "sha256": "171fc7a88cb70dc2d963886c0e1f655e5e7d75971d87929cd8594e5a561a2628", + "sha256": "6cdfde87acbd94abc4aa15493236dc5cc3d5ba2b9477e6a84979cf1309c83e1f", "type": "esql", - "version": 6 + "version": 4 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "572bc27e692189379dafcde1361251f5e3e288eabd3bf6783395dc77d479a941", "type": "eql", - "version": 217 + "version": 216 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", "sha256": "aa4c16259c4ca94dffd3cb61e6cdba1aa20599065aaf7ae56a8a21eb1b08a65d", "type": "eql", - "version": 112 + "version": 111 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "rule_name": "AWS STS GetSessionToken Usage", "sha256": "b0f5631b927606bf9cd543de35f1eb1f4e1a5a5655e0dcc70fa9ef1b9dc1fd81", "type": "query", - "version": 212 + "version": 211 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "rule_name": "At.exe Command Lateral Movement", "sha256": "d31b85a4a0c3afbb2fa6829eab9297104af0e9d5fb668fe2f19260b5b0303df0", "type": "eql", - "version": 109 + "version": 108 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", "sha256": "09cc425582bd4ac3d390cbb63c58e980708b2e3f438f39b376f3f2a95b4a2346", "type": "query", - "version": 416 + "version": 415 }, "b4bd186b-69c6-45ad-8bef-5c35bbadeaef": { "min_stack_version": "9.3", "rule_name": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers", "sha256": "90830399dbd7961335bf3a8753f257d25c33dbcdbc1474f0e95c96133eea6f2e", "type": "eql", - "version": 4 + "version": 3 }, "b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c": { "rule_name": "Kubernetes Rapid Secret GET Activity Against Multiple Objects", "sha256": "e7c54086214a71bb038838607a536ef7aa41291266fa5de8bfed8550c1264f6d", "type": "esql", - "version": 3 + "version": 2 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via unshare and UID Change", "sha256": "3cd020f114e1352ff5935c6e5577a9adcf1860443b9620b2062b4dc2a5b72a4a", "type": "eql", - "version": 12 + "version": 11 }, "b53f1d73-150d-484d-8f02-222abeb5d5fa": { "min_stack_version": "9.3", @@ -9281,74 +9238,74 @@ "rule_name": "Kubernetes Direct API Request via Curl or Wget", "sha256": "5848bf5a4bd044df06ef95227df444a60c1471ca1bcb5523d37347327c87dc52", "type": "eql", - "version": 105 + "version": 104 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", "sha256": "ec49b73ddecb2a3d97ae0249883658375bafc409d58d3f59db1174f5aaeb3f85", "type": "eql", - "version": 321 + "version": 320 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "a9c315fd8704d74060623e2eccc8e9f3b65a119d4ed251abcdfdd52901b0379f", "type": "eql", - "version": 319 + "version": 318 }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", "sha256": "0021061d622b59482f91129c9afd828047712d6ca62d4a338937389e67656e41", "type": "new_terms", - "version": 9 + "version": 8 }, "b625c9ad-16e5-4f16-8d38-3e9631952554": { "rule_name": "AWS CloudShell Environment Created", "sha256": "5c7433e67902ee4b52322b5abc5120bfc4053b3280ef95a2a30a852c97a66aaf", "type": "query", - "version": 4 + "version": 3 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", "sha256": "a72ebf831df03c21d401b9f11214fb6941e12203f4375308a7cf89f9a8d39865", "type": "eql", - "version": 115 + "version": 114 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "c8097fa09dce15e87aeff4ba80fdb83d373b329e1e3c1253d68ead481505686a", "type": "eql", - "version": 216 + "version": 215 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "rule_name": "Potential Veeam Credential Access Command", "sha256": "05e08f6a48db8458789f9657614baed791232ae181993e95ccdf444a38300d81", "type": "eql", - "version": 211 + "version": 210 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", "sha256": "0a84161e37b3038a5efaae0ed7135d830767e9480bffeb05bdba6fb297f50e2c", "type": "eql", - "version": 111 + "version": 110 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "14d28d7f25487dce62c1587886b4b74480f9c2a4198f69e2e55470d4d623e08d", "type": "query", - "version": 110 + "version": 109 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "fc573fd91afba592e2599a9f648c7f7c87ba1b94a672fe37c1f1bc6f40fc905a", "type": "query", - "version": 416 + "version": 415 }, "b799720e-40d0-4dd6-9c9c-4f193a6ed643": { "min_stack_version": "9.3", "rule_name": "File Creation and Execution Detected via Defend for Containers", "sha256": "4e1519a4656adf5de7dc890fa4f66a7b9a90263c36d67d8096b6835ad4f17220", "type": "eql", - "version": 2 + "version": 1 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", @@ -9360,7 +9317,7 @@ "rule_name": "FortiGate Configuration File Downloaded", "sha256": "b65dfbbd01ddf09e8bd7de4c17e9af0caeda5f94219d9520352f4f63c62a2c71", "type": "eql", - "version": 4 + "version": 3 }, "b7f77c3c-1bcb-4afc-9ace-49357007947b": { "rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike", @@ -9372,86 +9329,86 @@ "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "d606a36377e206ed6b63e174f9aa93773b33099aaf113724d19e45c60c18555f", "type": "query", - "version": 415 + "version": 414 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", "sha256": "fa7b67791e4a1c0bddd450fbbbaf999f5c80e8ca6fdcb193e3822be4d331ba5b", "type": "new_terms", - "version": 9 + "version": 8 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "310b917a14e643bd8b9da746b930eca41250db760858b9591499e47052cc695e", "type": "query", - "version": 114 + "version": 113 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "372472e0e1be987ba5607f0b0985f7873818d79075d5d551094c911df93db55c", "type": "eql", - "version": 419 + "version": 418 }, "b84264aa-37a3-49f8-8bbc-60acbe9d4f86": { "min_stack_version": "9.3", "rule_name": "Tool Enumeration Detected via Defend for Containers", "sha256": "37e4e5763b25cbe64d5632bc00bbda463f9ba20fc814a0423fd17c8143dc22a0", "type": "eql", - "version": 2 + "version": 1 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", "sha256": "8902326fd29e6491af0a64878eb8f4e07e31da66e984848dff33107dfc14dc6f", "type": "eql", - "version": 213 + "version": 212 }, "b8c3e5d0-8a1a-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Recovery Services Resource Deleted", "sha256": "1b78e1a881f43c3177aead24fc927410356a5d006d1cda47e70d26a9e9641342", "type": "query", - "version": 2 + "version": 1 }, "b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e": { "rule_name": "AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure", "sha256": "9ee4397ac53d88b12b6a16d40ab8c34703453f21aa536fd9946f4989fc31d8f7", "type": "esql", - "version": 2 + "version": 1 }, "b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c": { "rule_name": "Potential Credential Discovery via Recursive Grep", "sha256": "6e1f7fd530c168e50461f4e7afc7b92b389edc311ca0657f61cae0b885e3fab0", "type": "esql", - "version": 2 + "version": 1 }, "b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": { "rule_name": "M365 Purview DLP Signal", "sha256": "e3ef983c1782d0d31d55c56f099f438dbf0e1180aa4222c17d078488f0692878", "type": "query", - "version": 3 + "version": 2 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "rule_name": "Kirbi File Creation", "sha256": "ecaa3fb532fa9adc94bdd4490159fd87d162a316b180bcc92f9911131f8bbaa3", "type": "eql", - "version": 317 + "version": 316 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "521aa3e9bb538b547685c1ec1a9f12c5c4e34de5c31cfb9f0bd18ed219ae178a", "type": "eql", - "version": 315 + "version": 314 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "rule_name": "Chkconfig Service Add", "sha256": "d0cc5c171239dbcb104a7489e747f4fa4712d1f0b9d0c7c2c40c266c6e44d456", "type": "eql", - "version": 220 + "version": 219 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", "sha256": "39ff2ecd53d1273176883da80f5c853cba5c7d5cffe7daac11a6b8735507dd0f", "type": "eql", - "version": 7 + "version": 6 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", @@ -9463,31 +9420,31 @@ "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "9ac9d0123bbe07619ef3f68e09b71e3a234dee94a91f0ad58a5ea042ad48a1b0", "type": "eql", - "version": 216 + "version": 215 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", "sha256": "ccc20438dabf95f6714661407dca782bba70fc5acf468c799afa0997f7cfbd74", "type": "eql", - "version": 117 + "version": 116 }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "5623b8facb7575ee89888665115a6288b762d8c7cae967408f985102c8808ddb", "type": "eql", - "version": 318 + "version": 317 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "rule_name": "File Creation by Cups or Foomatic-rip Child", "sha256": "dca11625c815b4157b45c06d2d04e7f72ef5ba0ecdd1fed7cc9cfd8e42cd42ac", "type": "eql", - "version": 108 + "version": 107 }, "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e": { "rule_name": "Anomalous React Server Components Flight Data Patterns", "sha256": "0c4d821949f83cc7229d9d2a9c117db1c8e639e5e03279e9ec182569ea1e7232", "type": "eql", - "version": 2 + "version": 1 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "9.4", @@ -9503,67 +9460,67 @@ "rule_name": "Unusual Windows Network Activity", "sha256": "0833f86da12207c117de1da3165a8d471bbf136effa8f292075b2d66982d01cd", "type": "machine_learning", - "version": 312 + "version": 311 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", "sha256": "54a16034019a7ff529433229ee9420420463a6b64f855b1f8182e9c979f31d11", "type": "new_terms", - "version": 7 + "version": 6 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", "sha256": "881df1bf3e0d1bd5035f0163b4c6fbea98426fdad7f5e30cd133d408466dfd22", "type": "eql", - "version": 9 + "version": 8 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "6454e889c2cf1a148a8d04442b4e67982eff43b66dfcdbe6816253576c2ae7b6", "type": "eql", - "version": 215 + "version": 214 }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", "sha256": "461b925e57497fdcaf88f08873d86a0fb8d0e9ea1252e6c241ef05fffd27a95d", "type": "query", - "version": 9 + "version": 8 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deleted", "sha256": "4966f18990999e99b3a63b622da1f44cd27813206a0d44992e191ef7efd3f6d8", "type": "query", - "version": 110 + "version": 109 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", "sha256": "72ecee4d940e2c2157819f24ecedf8a8cb830b55105eac72e766fe6ced901463", "type": "query", - "version": 214 + "version": 213 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "M365 OneDrive Malware File Upload", "sha256": "f04d6d39681c375512b7e813dc80c792d70026ba6d551afbfa7734b166ea15cd", "type": "query", - "version": 214 + "version": 213 }, "bba8c7d1-172b-435d-9034-02ed9289c628": { "rule_name": "Potential Etherhiding C2 via Blockchain Connection", "sha256": "adf13fd4f74075a1c4d807c951b541af172e2bded395dbbfe1ba42983acd3d22", "type": "eql", - "version": 3 + "version": 2 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", "sha256": "815c666bcc295daeb2243a634ef0d8210a3b075ef8218de881cc4d8e7cb3cfce", "type": "threshold", - "version": 15 + "version": 14 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "M365 Teams Custom Application Interaction Enabled", "sha256": "826ec6d81ce8b9a10f38fc995c045cd647df5d059bdac072fb532a9260900581", "type": "query", - "version": 215 + "version": 214 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "Deprecated - AWS Root Login Without MFA", @@ -9575,25 +9532,25 @@ "rule_name": "GCP Storage Bucket Deletion", "sha256": "37900dac2079159d4340059ef6567def876171c5672fdfc7278c6c8f0ca6fe79", "type": "query", - "version": 109 + "version": 108 }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", "sha256": "e0ba4cc9f179a908179ae1b8fb08501b168e5dd989246796d70691f3f4eff7f0", "type": "eql", - "version": 8 + "version": 7 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", "sha256": "7acb4cc8693f671522ac4141af3c6f946771d3534b18f6afef6140a69a1b8a52", "type": "eql", - "version": 111 + "version": 110 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Entra ID Conditional Access Policy (CAP) Modified", "sha256": "988c323c28814045bd05e064128d2969aaebf8c51e11e47537a3e2aa3f0767d2", "type": "new_terms", - "version": 111 + "version": 110 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Deprecated - Potential Non-Standard Port SSH connection", @@ -9605,31 +9562,31 @@ "rule_name": "File and Directory Permissions Modification", "sha256": "1229abc2361eeaad582a81ee4da6660075a6f9350b3ed2da734f3651b6d383d5", "type": "eql", - "version": 5 + "version": 4 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", "sha256": "c37a8742cc3fe968d7ca34eae92c6bbf6d72f20a731a8e600078e0c76f998332", "type": "query", - "version": 109 + "version": 108 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "sha256": "56d1f942df83d7f90dce141e8d61ea6c55751a210ce9f2acedfd94a2aea52eea", "type": "query", - "version": 11 + "version": 10 }, "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": { "rule_name": "Entra ID Protection Alerts for User Detected", "sha256": "bf979378a73ec562baf65cabd933ec22b6c70d6c288387eed998e3836179e977", "type": "eql", - "version": 6 + "version": 5 }, "bd18f4a3-c4c6-43b9-a1e4-b05e09998110": { "rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab", "sha256": "87629b7d4d5b9fc75f1a26d77b396e39a528483a25c72d1238b5ebf5271839b9", "type": "eql", - "version": 5 + "version": 4 }, "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": { "min_stack_version": "9.4", @@ -9645,25 +9602,25 @@ "rule_name": "Spike in Privileged Command Execution by a User", "sha256": "7279a20292c17acab33b638a44a567480719079cc6518fe2f59f35f86e1e2cd4", "type": "machine_learning", - "version": 105 + "version": 104 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", "sha256": "2b2c41d8349db184a3dfcf109c0e32f06a4e29eb8036f85956a55e479cedaf1c", "type": "query", - "version": 220 + "version": 219 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "ceeb8a74a863b5756a29ed6a9a6224998612c5ec72c4b20afaa84daa0dddbff1", "type": "eql", - "version": 110 + "version": 109 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "df28d4809713bc1224246014d11ffc61f9ef0436ecb8801c2fbd495bf8201d57", "type": "eql", - "version": 216 + "version": 215 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Deprecated - Potential Pspy Process Monitoring Detected", @@ -9675,13 +9632,13 @@ "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "1cc8b614d64dee3f72481d18cbea5d29b1c50f73e18f0bf1ace62841c74a8ee7", "type": "eql", - "version": 217 + "version": 216 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "rule_name": "Execution via Windows Command Debugging Utility", "sha256": "caed468a427a737d9f364fbc48acbfd232a094fd7c94911ccb2b0d0c53acba07", "type": "eql", - "version": 112 + "version": 111 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "9.4", @@ -9697,7 +9654,7 @@ "rule_name": "Host Detected with Suspicious Windows Process(es)", "sha256": "65c718364c96010a79d85d5d5f9d03c5177768aef95e93280491ac2544384804", "type": "machine_learning", - "version": 212 + "version": 211 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "min_stack_version": "9.4", @@ -9713,31 +9670,31 @@ "rule_name": "Unusual Remote File Directory", "sha256": "a88cb06ef463fb2f2dd4327dd31c5d47692a0c11539c9e458a25c9f32b348668", "type": "machine_learning", - "version": 110 + "version": 109 }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", "sha256": "10a4816f54ea177fa9e3d1289e45f425f1497b53d4964f359dcd7a1cdd2e729d", "type": "eql", - "version": 8 + "version": 7 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "eb48a9a1d6f3695d16aabc2eac3cb9e8194fb43afd70c67b86f37958aff0734e", "type": "eql", - "version": 319 + "version": 318 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", "sha256": "4b30455cb83458f81769269a3dcfb5e5d22f50e9966e84c186dacdc5f9522ba9", "type": "query", - "version": 215 + "version": 214 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", "sha256": "8333574a0bd6910364814cb33d533eeb7ff3ce241fecbde36cde344d754dd008", "type": "new_terms", - "version": 9 + "version": 8 }, "bfba5158-1fd6-4937-a205-77d96213b341": { "min_stack_version": "9.4", @@ -9753,49 +9710,49 @@ "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "sha256": "e2736f2b927fe65d4fc0264b0645cba4262fbd1677b221588f935a637edb5e29", "type": "machine_learning", - "version": 108 + "version": 107 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "0b824a6c76d9e6ba990e3246a364639ed381da6595f7a64e4d7f87c5775b5c41", "type": "eql", - "version": 220 + "version": 219 }, "c0136397-f82a-45e5-9b9f-a3651d77e21a": { "rule_name": "GenAI Process Accessing Sensitive Files", "sha256": "7c9b692a829b9a52b6aad77ef0ca0d339f3a4ee67c3e4adddb2bafcc92231395", "type": "eql", - "version": 8 + "version": 7 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "0bd519abe65e56eef7207d3456911a0aaaeb511637bdc1491f081d31cf4b7bcc", "type": "eql", - "version": 115 + "version": 114 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "b6eebc798b4afada8d3bfa956f8703fcae15edef82c4f929e74945195f9edfee", "type": "eql", - "version": 317 + "version": 316 }, "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { "rule_name": "AWS IAM Login Profile Added for Root", "sha256": "fc6421375be76d4d0aeb919f460c45ddcd0823a216c78aec752e89f1a089b287", "type": "eql", - "version": 8 + "version": 7 }, "c07f7898-5dc3-11f0-9f27-f661ea17fbcd": { "rule_name": "Azure Key Vault Excessive Secret or Key Retrieved", "sha256": "6a9647be6235ab05a6f7dfabd7f0d07837ac5d2715b017dd8a41615e3cbda393", "type": "esql", - "version": 10 + "version": 9 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", "sha256": "9c208b045f8d819107c56a6d07dfab00cbb11c4b5f50381febbaac9d1a06045b", "type": "eql", - "version": 5 + "version": 4 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", @@ -9807,7 +9764,7 @@ "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", "sha256": "2791043f63074536de6e74909024903fb85f453091d8d74b441586745316aeea", "type": "query", - "version": 109 + "version": 108 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File", @@ -9829,55 +9786,55 @@ "rule_name": "Rare Azure Activity Logs Event Failures", "sha256": "e2a374e0c05a03580026cac6094e7fd3d00628dc2cf6965875239f25a04d15b0", "type": "machine_learning", - "version": 102 + "version": 101 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "ffae753e96e57c8e771abab86446ad7034e302f6824a3d98b89951e0504bc73c", "type": "query", - "version": 214 + "version": 213 }, "c18975f5-676c-4091-b626-81e8938aa2ee": { "rule_name": "Potential RemoteMonologue Attack", "sha256": "ca992e1b21d0fb0f0754149fd57b64002ad44fe7f9e500b94ef60dabd6554ff0", "type": "eql", - "version": 8 + "version": 7 }, "c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User", "sha256": "2b8eebb4194717375909b29a3d0a794425d40404f5ccf9adf851172212ad6a63", "type": "new_terms", - "version": 3 + "version": 2 }, "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", "sha256": "53db6d3be010ac57b9e40bf2d75485e498825d37934550bd8ab3cf91ba0d85e7", "type": "new_terms", - "version": 9 + "version": 8 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", "sha256": "bb336839fab870f4b8ceed4a37e64fa3808c9d4ec3557d5d7eb61cb308f89cab", "type": "new_terms", - "version": 10 + "version": 9 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "ee0bd1f86590675b1968e6c9acb3c60ff51ea57e2c22d45881495ae30a89caae", "type": "eql", - "version": 108 + "version": 107 }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", "sha256": "85e2710c5bac83b3134e7c2720609257a02d708edb281beb58dc59c73e2de482", "type": "eql", - "version": 8 + "version": 7 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "fc40884b4f7c36580a2055b06ccce31e99c605042fc0bfad38e16a5124224c40", "type": "eql", - "version": 320 + "version": 319 }, "c28750fa-4092-11f0-aca6-f661ea17fbcd": { "rule_name": "Entra ID Sign-in BloodHound Suite User-Agent Detected", @@ -9899,31 +9856,31 @@ "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "3dc62da3e3d7eced397232fa5845611453226b59e213bd3c2165f786154ca80d", "type": "machine_learning", - "version": 208 + "version": 207 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", "sha256": "0e4561214fbcbee7b437528faea36307cf2255abd709788284dc2e7f5a740232", "type": "eql", - "version": 114 + "version": 113 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", "sha256": "3928140ff2c2daa2baa63a3c01524bc5693142c460ae8797ab4165dacfd176cb", "type": "eql", - "version": 8 + "version": 7 }, "c2a91e88-4f4b-4e1d-9c7b-8fde112a9403": { "rule_name": "Kubernetes Multi-Resource Discovery", "sha256": "e9df8056e4a85a5472fe686ba09143d567fbfa73ea785130804494fd595a35ed", "type": "esql", - "version": 3 + "version": 2 }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", "sha256": "67d1ef2cd2105b6cecf6813688a2ace55466bd1724113c42d7270a1b06b04c3f", "type": "eql", - "version": 214 + "version": 213 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", @@ -9935,67 +9892,67 @@ "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", "sha256": "f813eeef96588e7cc2eb90e1e91b32f2b9304bdb6c040357a4cf1ef6b41f0748", "type": "new_terms", - "version": 8 + "version": 7 }, "c37ffc64-da75-447e-ad1c-cbc64727b3b8": { "rule_name": "Suspicious Usage of bpf_probe_write_user Helper", "sha256": "7382f00fdf9d126382835eb8bee6dff6b8ee9806023856161c3f82b90b2ca17d", "type": "query", - "version": 6 + "version": 5 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "fe431606017738cc0bd512442d6aee9241821aa49a4476107d876e8521e564b3", "type": "eql", - "version": 416 + "version": 415 }, "c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f": { "rule_name": "Azure Compute Snapshot Deletion by Unusual User and Resource Group", "sha256": "a1d9d307839b1e0d90287d6c6ed01a10b4b39429715cb89a1c24aa185ef4492a", "type": "new_terms", - "version": 3 + "version": 2 }, "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": { "rule_name": "Suspicious Execution from VS Code Extension", "sha256": "0f323f54766502b2aad2e8d828583874f64015a7eeec98250bf8732f25af760a", "type": "eql", - "version": 4 + "version": 3 }, "c3d4e5f6-a7b8-9012-cdef-123456789abc": { "rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", "sha256": "0e3a9be309a444967ebb0ea0d972afde8a15a17b8b25372f908c366b1d81db60", "type": "eql", - "version": 4 + "version": 3 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "6a1e4a58107207bd64985edd80b630efbfb2c0257405b1e8eb91b08ce480f0eb", "type": "eql", - "version": 109 + "version": 108 }, "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": { "rule_name": "Multiple Remote Management Tool Vendors on Same Host", "sha256": "a2a54475f704eefeffbf2dcbcf805691146faa7d3123844010c0c45770bd3871", "type": "esql", - "version": 4 + "version": 3 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "b2f5778133cc8aec0658f483a77022ff1900c12bf95be595d306fb72db8ed0e5", "type": "eql", - "version": 318 + "version": 317 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6bacc434838270cd66c5fd783aca76bc1c83083165ba5a2b6dcff8bc6d8969a5", "type": "eql", - "version": 314 + "version": 313 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", "sha256": "212aaec8993088800bd4d7f70a7332eaf7e5bc714183097e26fb19acf8ebc70e", "type": "eql", - "version": 8 + "version": 7 }, "c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": { "min_stack_version": "9.3", @@ -10008,91 +9965,91 @@ "rule_name": "Attempted Private Key Access", "sha256": "433198f3e83515be6a9fb2d81a58e55f395ca9b6c12755ce513c08a8eccdf886", "type": "eql", - "version": 112 + "version": 111 }, "c562a800-cf97-464e-9d6f-84db91e86e10": { "rule_name": "Elastic Defend and Email Alerts Correlation", "sha256": "1d45173532d147acd49f542150b35f7e6997ea1d1c48a6d1d776f8414cf10ed5", "type": "esql", - "version": 5 + "version": 4 }, "c5637438-e32d-4bb3-bc13-bd7932b3289f": { "rule_name": "Unusual Base64 Encoding/Decoding Activity", - "sha256": "258ed700b47e9986b528be70273807ff6f0f6157da957fbb25e6923ae95f8860", + "sha256": "2d14a4c5396bcc49e6fe161442552ba4adf549a8847239fa8ecdb52c67edeb8c", "type": "esql", - "version": 13 + "version": 11 }, "c5677997-f75b-4cda-b830-a75920514096": { "rule_name": "Service Path Modification via sc.exe", "sha256": "22e84ad2b75e336fb97f7a6c7a63140dd8f907a4d863e0569c43993bbe498833", "type": "eql", - "version": 110 + "version": 109 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "34a8a87924c6ad4c5cef9cc2bc41b91633417cb0bbbfb65a121e7ff38c26de9b", "type": "eql", - "version": 317 + "version": 316 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "2c04fe383e0cbfd24a060a3f7df45e8a67ad83994225466b84eee7b04d91bcb4", "type": "query", - "version": 110 + "version": 109 }, "c595363f-52a6-49e1-9257-0e08ae043dbd": { "rule_name": "Pod or Container Creation with Suspicious Command-Line", "sha256": "6a5835653ce8a44460f7a6265334f5715cec34eef906940d610adfd93fef4883", "type": "eql", - "version": 3 + "version": 2 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "70e2670083262dede9e0ac99658ca19c7de178ec58e04799de51dd05c7de93a5", "type": "eql", - "version": 215 + "version": 214 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", "sha256": "c3c888b4c5012aed4c984e2bbe771206e5733964fdc51d7858755a9152742a52", "type": "eql", - "version": 316 + "version": 315 }, "c5da2519-160c-4cc9-bf69-b0223e99d0db": { "rule_name": "Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt", "sha256": "6b7e94971186501aac3530e4bee4b1247c1391d2aa9afe212581dacb76d121a5", "type": "eql", - "version": 4 + "version": 3 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "cf437520e3f654ae85ed65b5d0a9052889488f787bfefcf1a529f15710dd1037", "type": "eql", - "version": 319 + "version": 318 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "427f6a1dc62cfc31d666ea507e0534d2ccb1b1ab11ded936a7c642aca66c0ac2", "type": "query", - "version": 108 + "version": 107 }, "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { "rule_name": "Initramfs Unpacking via unmkinitramfs", "sha256": "670705faa3fa17cf9262d86f5f84c89d2b19a8d98e66695f0d696dd97dee6195", "type": "eql", - "version": 7 + "version": 6 }, "c62733ff-9373-4fdf-9733-3d992e148c93": { "rule_name": "Kubernetes Ephemeral Container Added to Pod", "sha256": "c790909bc3eda3e57868dee65181763def1dddb5b157ac1ecf5390a855d01b24", "type": "query", - "version": 2 + "version": 1 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", "sha256": "fb2fe11496bbfc2388fa376d8b542bf097de5191513c3955377d9ab1235a6d06", "type": "eql", - "version": 321 + "version": 320 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -10110,7 +10067,7 @@ "rule_name": "Suspicious Kerberos Authentication Ticket Request", "sha256": "732dee33aa6139e44513f5881a2dba96f5295987d88fcee4aacd52eb5d2eab03", "type": "eql", - "version": 6 + "version": 5 }, "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": { "min_stack_version": "9.2", @@ -10126,85 +10083,85 @@ "rule_name": "AWS IAM API Calls via Temporary Session Tokens", "sha256": "900d6953f4a641966f554449d8d96bb0358a325597f719a61787949c359dcd23", "type": "new_terms", - "version": 109 + "version": 108 }, "c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": { "rule_name": "Mount Launched Inside a Container", "sha256": "4d00e7499220c3c3a60f9749322ef6e1454af67f7ae410f4f6d7c3f28dff5f95", "type": "eql", - "version": 4 + "version": 3 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "db008a5c21d6a79b33bf9ea050857ae15016c5c6e40839e50335eb211f5f1295", "type": "query", - "version": 415 + "version": 414 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "rule_name": "Attempt to Modify an Okta Application", "sha256": "2e4dcf9c3c6df85922d74052995819ef82f67954d3d74e3ce29388cb2497151b", "type": "query", - "version": 414 + "version": 413 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", "sha256": "5abdcb56935324216ff8d42e978ebb491fbe54cafcc4d7fe8b3ac582d9ad5be1", "type": "eql", - "version": 8 + "version": 7 }, "c766bc56-fdca-11ef-b194-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Client", "sha256": "2754c97acd73e4a1a90ee94002f7eb0e7e45f5d98ba148f2d48097b6cf7db360", "type": "new_terms", - "version": 8 + "version": 7 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", "sha256": "968760f56651ba90e6f5231336d0b45578d1163d2f2e90f692dffe853c7a96cf", "type": "eql", - "version": 214 + "version": 213 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", "sha256": "ce477162c8755daf91cd6ec21a989119639bc8eb2c0373f6e74309d5885da2ca", "type": "query", - "version": 211 + "version": 210 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Operation by dns.exe", "sha256": "5e7a49ea7a36e33b0fee16211e255c693da22703192b2401d1fe49fe7ba2915f", "type": "new_terms", - "version": 219 + "version": 218 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", "sha256": "3400eb9c633145b2e7439c65f498db5bfb7dcafd680699d908e79e11eda2a0fd", "type": "machine_learning", - "version": 111 + "version": 110 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", "sha256": "c214ac68f9bcf286e1bb6d40a6982c5bb92697877f85be0a95fbf6efa738cd74", "type": "eql", - "version": 113 + "version": 112 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "10648d7de1f37e2c2263dd57fc51389dffef0106a8e191d1c6011101668c0d04", "type": "new_terms", - "version": 112 + "version": 111 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", "sha256": "748d8e74b57ecaf308003adab7aad2e238595a50ae2ad8ab015b3f5553d1e10c", "type": "eql", - "version": 118 + "version": 117 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", "sha256": "10971404f4a346079b0483d85790d52dc211b28704722b156c33bb04e4afd15d", "type": "eql", - "version": 110 + "version": 109 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -10216,67 +10173,67 @@ "rule_name": "Parent Process PID Spoofing", "sha256": "df65039d7edf82d347ef415b2522979d9e33f3f6c9dfccfe777461e024aaf91f", "type": "eql", - "version": 112 + "version": 111 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", "sha256": "5970502fee1978894616af37f79e879604513bcf66ed22247fb150855080e587", "type": "eql", - "version": 16 + "version": 15 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "972012b725a4c8682ab12245bb0f090a12981eef449d2feb19ce9dc5859ada87", "type": "eql", - "version": 321 + "version": 320 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "352973abc5de6aa343cb0a43ebacdc47da892f5ab3ceaee64421d64f9d3f85d1", "type": "eql", - "version": 320 + "version": 319 }, "c8e4f1a2-9b3d-4c5e-a6f7-8b9c0d1e2f3a": { "rule_name": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization", "sha256": "8a3498f14621e9a31ea7d7aba56abfba0a48df0847f409fdbc1aa98c97650e11", "type": "new_terms", - "version": 2 + "version": 1 }, "c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": { "rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource", "sha256": "bd1d6bba6db66e65f1767382604d9b24e1294f3a9ffa4af53d24e543b873f322", "type": "new_terms", - "version": 5 + "version": 4 }, "c8f4a2e1-9b3d-4c7e-8f2a-1d0e5b6c7a89": { "rule_name": "Kubernetes RBAC Wildcard Elevation on Existing Role", - "sha256": "ad0da3e88f87d640e35b24c46ab9d8e5f9e8c291883696c670cb5278a6a35bef", + "sha256": "8be233686963dcee1e3681959cf8ee8ad11a290cf119c734323ac12993497b94", "type": "esql", - "version": 3 + "version": 1 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", "sha256": "cc426be014bfdaeb8153646d980d01ba3d006c7438be1bf1d22e0e29711ea1f6", "type": "eql", - "version": 14 + "version": 13 }, "c9636a6e-125e-11f1-9cd3-f661ea17fbce": { "rule_name": "M365 Exchange MFA Notification Email Deleted or Moved", "sha256": "094dc18b50795209d755efb3bdd0584e88c9ec87bae1488a08941d8589795aaf", "type": "eql", - "version": 4 + "version": 3 }, "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { "rule_name": "Potential Remote Install via MsiExec", "sha256": "1f8c37ec7d8732adc850d44f0551c23cc024a117e900d86c18eddc1e1f5037c1", "type": "eql", - "version": 6 + "version": 5 }, "c9d4e8f1-2a3b-4c5d-8e9f-0a1b2c3d4e5f": { "rule_name": "Kubernetes Pod Exec with Curl or Wget to HTTPS", "sha256": "bfe3e798917b0efcd914fbaa1f3b4a7ac06bb0ae47317afd993519c12eca0dc0", "type": "esql", - "version": 2 + "version": 1 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -10288,25 +10245,25 @@ "rule_name": "Polkit Version Discovery", "sha256": "9057c8fc734774b49324b875ba5e83569cc77adb125c1abb70688ebfedcdbcc3", "type": "eql", - "version": 8 + "version": 7 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "M365 Exchange Malware Filter Rule Modified", "sha256": "40e40f2b6cade21188d70b1cc6876d692ccaf50e173a15c2d7f5bc6e26d1448b", "type": "query", - "version": 214 + "version": 213 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", "sha256": "2f434bb2fbc6b983bdb724b37e5d80a5191ada3fb55aee8ae2afd61e994acbd9", "type": "eql", - "version": 16 + "version": 15 }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Entra ID User Reported Suspicious Activity", "sha256": "942738b94399d43ced484e1f6170b1627d22e29e30946bf629ef8b2978c50837", "type": "query", - "version": 7 + "version": 6 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -10318,31 +10275,31 @@ "rule_name": "Abnormal Process ID or Lock File Created", "sha256": "7741096692f9fe425bdb8c608cb7b6d139ecb608252b6e1bc29bea7446dce8b8", "type": "new_terms", - "version": 220 + "version": 219 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "8c2d19d60ea0eca73775d4c700e75c6ce53042b1235213dee6ff1a31e37bb5b1", "type": "query", - "version": 213 + "version": 212 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", "sha256": "c165e516becec15b1c1aa845d2f5d093956b2a7e28df7cb656de4b393ca6a50e", "type": "eql", - "version": 111 + "version": 110 }, "cbbe0523-33f3-4420-b88d-5c940d9e72c1": { "rule_name": "FortiGate Super Admin Account Creation", "sha256": "d7217f55364d8322b66e8c599721d64499e35c2cfb070e0b4e9ec22e497896a1", "type": "eql", - "version": 3 + "version": 2 }, "cbda9a0e-2be4-4eaa-9571-8d6a503e9828": { "rule_name": "Kubernetes Secret Access via Unusual User Agent", "sha256": "5c721d5177cca18be2b221ec5d1a2c3dbecc53be6c90ecc978f09a0ae0be5672", "type": "new_terms", - "version": 4 + "version": 3 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -10354,13 +10311,13 @@ "rule_name": "Attempt to Enable the Root Account", "sha256": "dc65243f14859cec0de10c90d31e854d1dfab19c45872d94ad5938971bf56fe6", "type": "eql", - "version": 112 + "version": 111 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "276e47f1c1a7661fdcc6d3c2b07f2989d6a5b3e39c40c0dfdf0fd3f7b8bc418b", "type": "esql", - "version": 312 + "version": 311 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "min_stack_version": "9.4", @@ -10376,31 +10333,31 @@ "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", "sha256": "e2f7d9be525edcabce6a79ec3d4e29a0d63faf3b3ce5c662631e46deee74aeb8", "type": "machine_learning", - "version": 108 + "version": 107 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "7ec6f7bcf0fd4a713ff9c6ad38220d76e00bca8d333e36385bc55f3afc788495", "type": "query", - "version": 112 + "version": 111 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "0b14b06375574bc3460aa42b0883902a71dda721561cbc763b1346983d30439d", "type": "query", - "version": 110 + "version": 109 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "f78afd3ef31ec247c8f93c3bded0ef9093593d4a4242d2da616e845a91d47463", "type": "query", - "version": 417 + "version": 416 }, "cca64114-fb8b-11ef-86e2-f661ea17fbce": { "rule_name": "Entra ID User Sign-in Brute Force Attempted", "sha256": "504d60716fcab3c62c39017161592cd1f993a179ce83dd9c3d56a64b35a046c1", "type": "esql", - "version": 10 + "version": 9 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -10412,20 +10369,20 @@ "rule_name": "M365 Entra ID Risk Detection Signal", "sha256": "80306f186a6e389d65f795a639aa14cc2d0d5e9278ce95f2eadbef633acdebc2", "type": "query", - "version": 3 + "version": 2 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "1f05b381a736d947775748f47767925c574667300ceab8fba31733fe5f0f0fea", "type": "query", - "version": 416 + "version": 415 }, "cd24c340-b778-44bd-ab69-2f739bd70ce1": { "min_stack_version": "9.3", "rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers", "sha256": "e426cd61370f7a3337d24e8fa843cb3ff9bc78469f0b54ef7f2f20320130b2e9", "type": "eql", - "version": 4 + "version": 3 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -10447,49 +10404,49 @@ "rule_name": "Anomalous Linux Compiler Activity", "sha256": "d580170ce5f9b525d575b03481dc0cff351e862ea09c42f5d0d27f1e1567dc86", "type": "machine_learning", - "version": 209 + "version": 208 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", "sha256": "94cc28cf394367383a56845044b14d18c01451f0e54fcce503353ef789d7d0cc", "type": "eql", - "version": 216 + "version": 215 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", "sha256": "e7da9e328dc068e58d02c3588b1b8169288b6dc8641369ffef8fa2f3dd2a7da5", "type": "eql", - "version": 10 + "version": 9 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "d062e4cdfbd30c711e2dc526868a474e5bed707bf2cd718b1b73f589d6d63332", "type": "eql", - "version": 420 + "version": 419 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "rule_name": "Okta User Session Impersonation", "sha256": "d1e454f298e77b0999edbb6252ad1bb10f84eff94a05ea0522b3bb3c02859802", "type": "query", - "version": 417 + "version": 416 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "4be76e64dd78a60dd653583d166ff23a96f61d81cc9540d321047abcbecc57ac", "type": "query", - "version": 222 + "version": 221 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", "sha256": "fa212f11ff7dc31c458f4c5b4a44abf511bad5178eaab6a43dd2471e02b8de8b", "type": "eql", - "version": 8 + "version": 7 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "cb096a6dea392aedfc4158c3ea6faa4bbc4ba5dc20f240c5c486db678b44a67e", "type": "new_terms", - "version": 209 + "version": 208 }, "ce08cdb8-e6cb-46bb-a7cc-16d17547323f": { "min_stack_version": "9.4", @@ -10505,44 +10462,44 @@ "rule_name": "Unusual City for an Azure Activity Logs Event", "sha256": "e8a2532663bc99ed107bd3f71dfca99a418b5e691dd0c8311d997b2dcbcf37e7", "type": "machine_learning", - "version": 103 + "version": 102 }, "ce4a32e5-32aa-47e6-80da-ced6d234387d": { "rule_name": "GRUB Configuration File Creation", "sha256": "8171cdc003b23ecc74cd941913d99aa321de69230dc036f86df3e89ee88cc8a6", "type": "eql", - "version": 7 + "version": 6 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "d05044b0347897f56e49915d07ac39e23e1ccd2ce9e72cc40f427e958b496251", "type": "eql", - "version": 319 + "version": 318 }, "ce73954b-a0a4-4f05-b67b-294c500dac77": { "rule_name": "Kubernetes Service Account Secret Access", "sha256": "f037b6877c9466fa03677ff27ac9dc757799db083eafb89b01048fb5fb2e5336", "type": "eql", - "version": 5 + "version": 4 }, "cebabc1e-1145-4e39-b04b-34d621ee1e2c": { "min_stack_version": "9.3", "rule_name": "Shell Command-Line History Deletion Detected via Defend for Containers", "sha256": "979ca3e8ac0709e5e783a63e0ca0ccd14744cb170a17f6cc02fa41296d31801d", "type": "eql", - "version": 2 + "version": 1 }, "cf2b8cf5-3364-4396-b551-42aae9b6d37e": { "rule_name": "AWS SSM Session Manager Child Process Execution", "sha256": "b17735b656bbc81d70ff40989315103f3d8f3fcbfafb53bf3dc424ae9bd96070", "type": "query", - "version": 3 + "version": 2 }, "cf307a5a-d503-44a4-8158-db196d99c9df": { "rule_name": "Unusual Kill Signal", "sha256": "87b48799b45644f192a3001a0f4b89af47c77b4ee43ae485b40c621af5497e63", "type": "eql", - "version": 3 + "version": 2 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", @@ -10554,7 +10511,7 @@ "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "03ce40b74fdb6629caa18779e5369e9b7cb5144ddcc273d2708ffb29de856174", "type": "query", - "version": 211 + "version": 210 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { "rule_name": "Deprecated - Unusual Discovery Activity by User", @@ -10566,31 +10523,31 @@ "rule_name": "Trap Signals Execution", "sha256": "5d1c2a7fa37d485677c9525e57187ee14cae40657b6b37b87075a86b32fd53f2", "type": "eql", - "version": 7 + "version": 6 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "1cf0003b3ca2311e92a88d6dfe5f2172d9c346610169fa2fe67cca1dbb6e51da", "type": "eql", - "version": 323 + "version": 322 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", "sha256": "b3379c22774ddf7b3ad4cd9061769227cc13b67a811eed8e01aef15ddbb008eb", "type": "eql", - "version": 5 + "version": 4 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "rule_name": "Namespace Manipulation Using Unshare", "sha256": "7ce775edec6e2b9fd8f1f5e9790a1455232f7e73618d25ead665bd65ef08c238", "type": "eql", - "version": 117 + "version": 116 }, "d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": { "rule_name": "FortiGate Administrator Account Creation from Unusual Source", "sha256": "7daf11e701fa16bab823faa10886c4ccaae4187b0fb8c0bd88c578e3fb308798", "type": "new_terms", - "version": 3 + "version": 2 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "9.3", @@ -10606,67 +10563,67 @@ "rule_name": "Cloud Credential Search Detected via Defend for Containers", "sha256": "152389ffbec21b8c6cf4900a221557e3cbba23580dac8dcec675d8f6d38962d7", "type": "eql", - "version": 105 + "version": 104 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", "sha256": "b4f7eba2bacf2674558ed2020f01ac7344ecff673f119c66d8bf69963e5bdcd2", "type": "eql", - "version": 318 + "version": 317 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "91f370c60039a671e72337449587aafc3949520d1bc4a0aad944f952d97292f6", "type": "eql", - "version": 320 + "version": 319 }, "d121f0a8-4875-11f0-bb2b-f661ea17fbcd": { "rule_name": "Entra ID ADRS Token Request by Microsoft Authentication Broker", "sha256": "7b37bd4e071c45f94202000f79dbdb61c43277a88f56832e69af3e5209713192", "type": "query", - "version": 5 + "version": 4 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", "sha256": "5ce22bd1666f3e32e386cc8496062f37329380d440efdd91c6fe1802dc7323dc", "type": "eql", - "version": 11 + "version": 10 }, "d197478e-39f0-4347-a22f-ba654718b148": { "rule_name": "Compression DLL Loaded by Unusual Process", "sha256": "b8ef92cb19cb52e0bd7fb40cff7396636355fc683271c5bf1dbbd88a63e7753c", "type": "eql", - "version": 7 + "version": 6 }, "d19a2399-f8e2-4b10-80d8-a561ce9d24d1": { "rule_name": "System Binary Symlink to Suspicious Location", "sha256": "83f4835ace6e0cacb08b95892e3708076af8aa86de8a18edb56b641b451e2d61", "type": "new_terms", - "version": 6 + "version": 5 }, "d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7": { "rule_name": "AWS Rare Source AS Organization Activity", "sha256": "3aa90af79b03b53c743e4dcd0fd751c08cd550e2cc7cd3d6befd75fe1f03aa3c", "type": "esql", - "version": 2 + "version": 1 }, "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { "rule_name": "AWS EC2 Instance Console Login via Assumed Role", "sha256": "61f85c45874c50154a1dccbfdaa725b0313fe326ded94f01931dc0e5d05735c1", "type": "eql", - "version": 9 + "version": 8 }, "d1ee711a-a3ba-4d73-b5ab-84cab5b37fb3": { "rule_name": "Curl or Wget Egress Network Connection via LoLBin", "sha256": "ce203e6ef36a4f383860bdf870609761df68e02c57e8d531399a85f8423111d2", "type": "eql", - "version": 3 + "version": 2 }, "d1f310cb-5921-4d37-bbdf-cfdab7a6df9c": { "rule_name": "Privileged Container Creation with Host Directory Mount", "sha256": "75d684bf84179e6a25e644ac7d2db82a2d829dfdf5935cebecd941e03db6bf7d", "type": "eql", - "version": 3 + "version": 2 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -10678,13 +10635,13 @@ "rule_name": "Potential Microsoft Office Sandbox Evasion", "sha256": "762e4b15bacae2524f2eb4f6453f08cbabda5dc4ec577ed0a48d96b0f24b35df", "type": "eql", - "version": 112 + "version": 111 }, "d26331be-affe-46b2-bf4e-203d0e2d364c": { "rule_name": "AppArmor Profile Compilation via apparmor_parser", "sha256": "46f9b9dcc7c864ded6022aca5cdf7d66a3c6b1c46ede076a0e7cbbfcd22e3366", "type": "eql", - "version": 2 + "version": 1 }, "d2703b82-f92c-4489-a4a7-62aa29a62542": { "min_stack_version": "9.4", @@ -10700,79 +10657,79 @@ "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", "sha256": "0cedef065a88abd73d1662ab02552fdeee793d2ccf56f8eb78f729788dd786cf", "type": "machine_learning", - "version": 105 + "version": 104 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "d7a79c8c0bd79359418e9da37bf2de94c0807cd52386fb3373d97586dd42a0f4", "type": "eql", - "version": 319 + "version": 318 }, "d32f0c27-8edb-4bcf-975e-01696c961e08": { "rule_name": "AppArmor Policy Interface Access", "sha256": "540ec9c59c4ac14e4d8d22452a9727e0b44f48c1495a3a435a5f31c1d189dd96", "type": "eql", - "version": 2 + "version": 1 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", "sha256": "5bc1c4710d8d050588cfa022146eb44a57881fee2248fe986267feba1f4b5e51", "type": "eql", - "version": 323 + "version": 322 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "rule_name": "Remote Windows Service Installed", "sha256": "351040da536a8a222689ecf0d8ab1ba90a409e476f1222298de6b66d923d882d", "type": "eql", - "version": 115 + "version": 114 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "51c7d5aa91a02787b7a35cb450939619d0c1ce259e63a6fb6071f939b1b10e98", "type": "eql", - "version": 108 + "version": 107 }, "d3b6222f-537e-4b84-956a-3ebae2dcf811": { "rule_name": "Splunk External Alerts", "sha256": "f378f24577665171fd3b33d5b1172def6d1fa3fa89da6e34e50c43d6f969e922", "type": "query", - "version": 2 + "version": 1 }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", "sha256": "5159602762205589013e36bbd555824dadecd1d06e4df9e447253d043ff44ff9", "type": "esql", - "version": 12 + "version": 11 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", "sha256": "dde2f1948e3783288c5dda0fd4b020d47ac4e2ebc6daebe917d4a373dac35ab9", "type": "eql", - "version": 114 + "version": 113 }, "d4695889-0410-4e7b-a4aa-59be525a11a6": { "rule_name": "Entra ID Register Device with Unusual User Agent (Azure AD Join)", "sha256": "675401d2482999813274db5a1fcb768f91758024beb4c0c6695a66d8cdcd7add", "type": "query", - "version": 2 + "version": 1 }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", "sha256": "6bd7b6a580b9950f4a7a1d4911e00797056e57451d2c13d8236fa85a164dfcc6", "type": "eql", - "version": 9 + "version": 8 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", "sha256": "e0d1d6ba9b6ddf06ad72a0643f809d174cf9219b545d4dafb9b3c180160d2b19", "type": "query", - "version": 414 + "version": 413 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "f8132f6b4f1aa63e9d8e5d21d90394f93a1b56d7bf48aee2bb0c885b3549587b", "type": "query", - "version": 106 + "version": 105 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "min_stack_version": "9.4", @@ -10788,7 +10745,7 @@ "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "573b1809a649fa13bd4353d662f89857a9fe492c5d4c9c5572453e947abb52da", "type": "machine_learning", - "version": 208 + "version": 207 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "min_stack_version": "9.4", @@ -10804,13 +10761,13 @@ "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "eb3d13a478da5da270de435f9b6c3ac9f2aaa9e410767a5c8d5872f74b1a0e79", "type": "machine_learning", - "version": 209 + "version": 208 }, "d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f9a": { "rule_name": "Azure Compute Snapshot Deletions by User", "sha256": "0590c3ea783eef7a74ae9523153050ad013e39861a445e6d94296ba3c30fcb00", "type": "threshold", - "version": 3 + "version": 2 }, "d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a": { "min_stack_version": "9.3", @@ -10823,19 +10780,19 @@ "rule_name": "AWS IAM Customer Managed Policy Version Created or Default Version Set", "sha256": "b358dbfbed4eaf573315c79ec108874c58ce7ac3db8f94f63f765622b36a20d4", "type": "query", - "version": 2 + "version": 1 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", "sha256": "12504527fe33d0f0d50bdee315c515557afbc1166edfdce8c68ddf82b11d3817", "type": "eql", - "version": 113 + "version": 112 }, "d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c": { "rule_name": "Kernel Module Load from Unusual Location", "sha256": "42ab912e8f87151cc830318d80b8fcacef86ad752a051c7f3c2a5bafdcc76af5", "type": "eql", - "version": 4 + "version": 3 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected", @@ -10847,49 +10804,49 @@ "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", "sha256": "39da3f93465e6657006f53771e217c4fc049da876a80117b4cd2e4d6ba155a2f", "type": "eql", - "version": 9 + "version": 8 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "6de04fbb3615cf52d1a00204c0cc7d5e126031bf5f50005e01881ede98097e80", "type": "eql", - "version": 317 + "version": 316 }, "d591d7af-399b-4888-b705-ae612690c48d": { "rule_name": "Newly Observed High Severity Suricata Alert", "sha256": "de1f830567ec7ac8c8a76bd6164a6af0895adedc8ceb7ea49c91dda648461626", "type": "esql", - "version": 4 + "version": 3 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "3086f8e9b0537db524ac52264f95c531385a9dd43a5942e444649fcad336c138", "type": "query", - "version": 416 + "version": 415 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", "sha256": "f6e11ce06e76dae63a181eb541563bd9478e69b749f15e3a5ac84fdefd47e11d", "type": "eql", - "version": 213 + "version": 212 }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", "sha256": "189ec619c7b3f1acbaf3ec85c31d1cdef910e9f4fb1e9eee4e320cf66524c3eb", "type": "eql", - "version": 9 + "version": 8 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "a46f7108d987f5867d7a89f6ebead05786233dab13864eafc0980d67d2bbb886", "type": "query", - "version": 216 + "version": 215 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "afdbda3dde84fa473ded32b17d3c9c5a7f31bc6f7d069c45b4bd2a449afcae34", "type": "query", - "version": 111 + "version": 110 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -10901,91 +10858,91 @@ "rule_name": "IBM QRadar External Alerts", "sha256": "d87d352178c0de5f4c543c32276715abb35d6357dc42f75d84ac84b2401aa365", "type": "query", - "version": 2 + "version": 1 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "a12f6445936ab83bfae7520bc8f1d544d357ae58d9fca890908ee6320fefb81b", "type": "eql", - "version": 119 + "version": 118 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "M365 Exchange Anti-Phish Policy Deleted", "sha256": "9511b82aeec35d19961ca08da3e0fe578cfd57551921a610cef015721b43bc6e", "type": "query", - "version": 214 + "version": 213 }, "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": { "rule_name": "Potential Protocol Tunneling via Cloudflared", "sha256": "ce6454a80c785ff43356dc00ba0a798148f8a47cb228ba6ada6f7401d7741728", "type": "eql", - "version": 5 + "version": 4 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", "sha256": "6e66c624263fb09663f0683aee91a1c75afb76f643f116aa5e9eb16e8a6915d5", "type": "eql", - "version": 218 + "version": 217 }, "d70c966f-c5ef-4228-9548-346593cd422d": { "rule_name": "Unusual Process Connection to Docker or Containerd Socket", "sha256": "7d3b65bfb9efed8938e8d51a738e97060eb210b496bc611a1795c93ec01ffe47", "type": "query", - "version": 2 + "version": 1 }, "d7182e12-df8f-4ecf-b8f8-7cc0adcec425": { "rule_name": "Pbpaste Execution via Unusual Parent Process", "sha256": "3cfed4a1b0aa89c53b098fc2987859ebe883bc1267bc374ba18070c2e9a4f5e9", "type": "eql", - "version": 2 + "version": 1 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", "sha256": "6c8f7e690fc992ad98b1a2c1101f2ba9ed50cca218d536e7c1884a8f52471e45", "type": "eql", - "version": 320 + "version": 319 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "M365 Exchange Malware Filter Policy Deleted", "sha256": "3adaab0d509bfe15b688bc4f88053464321d610fa1ec88316130980d84582fb0", "type": "query", - "version": 214 + "version": 213 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "rule_name": "Suspicious Memory grep Activity", "sha256": "bd02b6e884a029c82503af499237b283074d0ca5c44c925afc8f88dcd6162644", "type": "eql", - "version": 110 + "version": 109 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", "sha256": "0eb4e9b2e8d7ae7e32cea1ab9708d0e2c67a166339ae6128cf014faf53bb202b", "type": "eql", - "version": 212 + "version": 211 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", "sha256": "6903d7db95ea1e3cd259c3ce0b5ca1cea3642360c9cfae1b6e55c16f174b1c7d", "type": "eql", - "version": 217 + "version": 216 }, "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": { "rule_name": "Python Site or User Customize File Creation", "sha256": "b1b0ab169ce762f2b928b00dbc60e869cc527620231972f6845fb6d33ec29a8b", "type": "eql", - "version": 8 + "version": 7 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Storage Permissions Modified", "sha256": "ded822ec5092e708b8c124227dbc29b933f95ea146bf4d92834bc41105e150bf", "type": "query", - "version": 111 + "version": 110 }, "d7b57cbd-de03-4c3b-8278-daa1ee4a6772": { "rule_name": "Suspicious Apple Mail Rule Plist Modification", "sha256": "a0c45fe46654506f314348d84713c3f366b341eea449497c5470f69c930e5b6b", "type": "eql", - "version": 3 + "version": 2 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "min_stack_version": "9.4", @@ -11001,116 +10958,116 @@ "rule_name": "Spike in Logon Events", "sha256": "c29b7f8eaa644ba59a41c217b164035424b0b42506ea6cae59993fbfea56b596", "type": "machine_learning", - "version": 209 + "version": 208 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", "sha256": "d525b40ecee5195fb6dd26c7e0a3b458d1002aa5d043016b236c48332cf0b40b", "type": "query", - "version": 112 + "version": 111 }, "d84a11c0-eb12-4e7d-8a0a-718e38351e29": { "rule_name": "Potential Machine Account Relay Attack via SMB", "sha256": "dd7dbcab64a1af066709c965e6e904bd1f93c69923a1cde4221dbe5b39ceea64", "type": "eql", - "version": 5 + "version": 4 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", "sha256": "dd48411c421dd9a77c91fa3ff6ff6d14e61e1ae1d21e0c8c6502a895bd5f61d5", "type": "eql", - "version": 15 + "version": 14 }, "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": { "rule_name": "Potential REMCOS Trojan Execution", "sha256": "9980c44f4485b07a1b435cab511bf5458e092b30640924be72d91e2438814535", "type": "eql", - "version": 4 + "version": 3 }, "d8f2a1b3-c4e5-6789-abcd-ef0123456789": { "rule_name": "Ollama API Accessed from External Network", "sha256": "e3733d532630c219d6614d21fb75e356d22f16ec0a9ff3f0f60224843ab8c594", "type": "eql", - "version": 3 + "version": 2 }, "d8f4e3b0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collections Deleted", "sha256": "38554163bf5d4d1b147f9137f117e510d8f097d49b32da256957eb1ab28fe4f0", "type": "threshold", - "version": 3 + "version": 2 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "f45c32cad0da7a071d36e956585cc06c542c9a29b537439c503a699b2e8937d5", "type": "query", - "version": 217 + "version": 216 }, "d93e61db-82d6-4095-99aa-714988118064": { "rule_name": "NTDS Dump via Wbadmin", "sha256": "b5b01fd3137c66953523e88ed94247e81d9efe10e2782519d665bfeeb5e77648", "type": "eql", - "version": 210 + "version": 209 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "061af9c10cb05decbc575b0ae0c06c1bdd672222b3a888b953190222fa5b14e7", "type": "eql", - "version": 320 + "version": 319 }, "d9af2479-ad13-4471-a312-f586517f1243": { "rule_name": "Curl or Wget Spawned via Node.js", "sha256": "951ee0aea30e70bfde8e78165a1547a8b00bdc808aad4a313029de907d78bfc6", "type": "eql", - "version": 7 + "version": 6 }, "d9bfa475-270d-4b07-93cb-b1f49abe13da": { "min_stack_version": "9.3", "rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers", "sha256": "07b381c84cab6bd05cd985d2912671b0d45207acb284af1f93837b49a556c20c", "type": "eql", - "version": 4 + "version": 3 }, "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { "rule_name": "Sensitive Files Compression Inside A Container", "sha256": "9c333571d80d149931449ce4fe2f16cc2b89cb7d0b97e5360a06a35349eec9f6", "type": "eql", - "version": 5 + "version": 4 }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "rule_name": "Suspicious Windows Command Shell Arguments", "sha256": "15f5dd84a9d960fdd0ea0c58c5ffb940e0756358d081435f8ae73ca59eaed3de", "type": "eql", - "version": 210 + "version": 209 }, "da0d4bae-33ee-11f0-a59f-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection", "sha256": "0f39ccaeadc0c6cf3a2ee85643d96368b7334c7b492b8517a90569b012196537", "type": "query", - "version": 3 + "version": 2 }, "da0ebebe-5ad3-4277-95e7-889f5a69b959": { "rule_name": "System Information Discovery via dmidecode from Parent Shell", "sha256": "c5119c7d8cb6ba0ab9fb94430ae2c2d1e3e6a6ebf20e2e18c60d9d4a5447293b", "type": "eql", - "version": 3 + "version": 2 }, "da4f56b8-9bc5-4003-a46c-d23616fbc691": { "rule_name": "PANW and Elastic Defend - Command and Control Correlation", "sha256": "9c4cc881a8a05c1e645c6fe4391834b009ca46b5124f18c1b821ee66b634a942", "type": "eql", - "version": 3 + "version": 2 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "f176da9360e2f2c3e8860fe15eb235214bcd1dcb323c49fd9e72e96df1a1b1aa", "type": "eql", - "version": 218 + "version": 217 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "sha256": "d887a9027105bdf4a170339cbb9e7012eb40383c6c65812c787c1f612543ae11", "type": "query", - "version": 10 + "version": 9 }, "da7f7a93-26e1-49ce-b336-963c6dc17c7b": { "rule_name": "Multiple Machine Learning Alerts by Influencer Field", @@ -11122,7 +11079,7 @@ "rule_name": "Suspicious Service was Installed in the System", "sha256": "674d5611f7c4e7c2d56833a0a0b8b8f7afb23a14664b0b58853854141dfebc4a", "type": "eql", - "version": 118 + "version": 117 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -11134,37 +11091,37 @@ "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "c380424b1c7a8b15cd6c69f19e2aeb996b3c3fc438a6d4bf4b91a48d47e8f852", "type": "new_terms", - "version": 112 + "version": 111 }, "dacfbecd-7927-46a7-a8ba-feb65a2e990d": { "rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access", "sha256": "7698bb07813a340c67e08c1e0d6c46f4495d8677699f8d9107e8b142f7ca07f9", "type": "eql", - "version": 4 + "version": 3 }, "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22": { "rule_name": "Github Activity on a Private Repository from an Unusual IP", "sha256": "cdc80e68084ebe217495f688541fa82a88b6d61c98e0db63dc780d2bdb4f097d", "type": "new_terms", - "version": 4 + "version": 3 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Entra ID MFA Disabled for User", "sha256": "f6bdc31ea3c2eddf3ce464b3867eaec5b1aa65d326c6a8d9e15c3efe12d9debb", "type": "query", - "version": 112 + "version": 111 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "7bd11c1b9d14c0b64b5fc2d21036e0a4f3582a43c218da0a6826ca7aa6a33559", "type": "eql", - "version": 211 + "version": 210 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "c054d7bcf3340f3352424a90c89e9d0445764287f7293857c90eb806c386af43", "type": "eql", - "version": 218 + "version": 217 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", @@ -11176,19 +11133,19 @@ "rule_name": "Entra ID Service Principal with Unusual Source ASN", "sha256": "47e4c635bd2fc84b836711971b0d8c151eafaf5a921900bf220e58aea6fc9e00", "type": "new_terms", - "version": 4 + "version": 3 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", "sha256": "04a000054fd086fe35b3e52f9d3eb48095fbb9e0b2f9aacddf7ec8e892c6d415", "type": "eql", - "version": 112 + "version": 111 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { "rule_name": "Git Hook Command Execution", "sha256": "df35f25f9ccc47ef6da1162061e6426b9e9a36091db4987ef34c162d36beacfd", "type": "eql", - "version": 109 + "version": 108 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -11200,31 +11157,31 @@ "rule_name": "Potential Hidden Process via Mount Hidepid", "sha256": "7e94ec06da053b5379f26e7355e1de6a3ec95c67115e9537b7ace9a1e062ad88", "type": "eql", - "version": 116 + "version": 115 }, "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { "rule_name": "Dracut Module Creation", "sha256": "e7901044b018b0d51e7579987769d7d815f196e226c06f7802072f53c04388c1", "type": "eql", - "version": 7 + "version": 6 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "3acf373b176d3530fa50133aba0cc5e97d69dd9048f86a93ec51b82bbabd87eb", "type": "eql", - "version": 319 + "version": 318 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", "sha256": "5fcc8e1b8ffda2633c5e84605dbccd3b4fa19f61cb6746ba6f2e9673df63aa6f", "type": "machine_learning", - "version": 213 + "version": 212 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", "sha256": "bd9a3f37f0d0ab84e7db8a5a74cea5394ae79810a7375da4213f0f9a2c6fa870", "type": "eql", - "version": 214 + "version": 213 }, "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f": { "min_stack_version": "9.4", @@ -11240,19 +11197,19 @@ "rule_name": "Unusual Country For a GCP Event", "sha256": "e1b3ec7e1ad5085043b0e15521b9f164298bfc915884a6f8315a6e202ea53c00", "type": "machine_learning", - "version": 103 + "version": 102 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "rule_name": "Attempt to Install or Run Kali Linux via WSL", "sha256": "b4dec363cc87b83e8de55fe91c72957864534614c92d32f07c9a2356c8ea2b41", "type": "eql", - "version": 218 + "version": 217 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", "sha256": "61c08b145f474da52f1ef04e85dcb57c8943bda0687f41fc8d07ac5da39fcb73", "type": "eql", - "version": 10 + "version": 9 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", @@ -11274,67 +11231,67 @@ "rule_name": "Docker Socket Enumeration", "sha256": "3b20c039973e88cff852dc38dbf06dcab6f9f7dddf03fff3e2c9b9ea124a1b4a", "type": "eql", - "version": 106 + "version": 105 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", "sha256": "57fc4d41f585e9622767d73c6374d8b6d69d72f69433691499262a4bf492032c", "type": "eql", - "version": 317 + "version": 316 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", "sha256": "ae224b4b5bf9c3ce6f6db645cadbc8352cd2f23dad4cf4b8359ff9cb689618e3", "type": "eql", - "version": 10 + "version": 9 }, "ddf26e25-3e30-42b2-92db-bde8eb82ad67": { "rule_name": "File Creation in /var/log via Suspicious Process", "sha256": "5f8ad4b3b68a18b84f5a900a3c5491e09f7b0f7e7080c501e059c8c08178977c", "type": "new_terms", - "version": 6 + "version": 5 }, "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { "rule_name": "M365 Identity User Account Lockouts", "sha256": "5e9c7aba985f7171c814ece90db1ada7159ce434f744a6aaedd5bb6ec9c1e41d", "type": "esql", - "version": 10 + "version": 9 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "7791d75c96deb296d5cba1980599b03dd2283e6d586e2f8a6e12acdd83d40bb5", "type": "eql", - "version": 320 + "version": 319 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "cc614eb9ec6ed03a159b5db0dbf49482ecd4ad3eff42784b233103ac0f8201a2", "type": "eql", - "version": 217 + "version": 216 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", "sha256": "c565926c3852c56892fb0501188df9bc15a1e1513cf40aad90ba10370499a8fd", "type": "new_terms", - "version": 109 + "version": 108 }, "deee5856-25ba-438d-ae53-09d66f41b127": { "rule_name": "AWS EC2 Export Task", "sha256": "543ead44f26c16aa26bc746708c06f6531c20c28051bd501212c956b5a5e761c", "type": "query", - "version": 5 + "version": 4 }, "df0553c8-2296-45ef-b4dc-3b88c4c130a7": { "rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners", "sha256": "554697d96fc03f19bf3758bd9118b506f368879575889f932f4049755fd5e0bb", "type": "eql", - "version": 3 + "version": 2 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", "sha256": "a86e29ad36c65e20a6de39029ef2fd2b315fa075aa314ff2142a7f24e4da833a", "type": "new_terms", - "version": 14 + "version": 13 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "9.4", @@ -11350,31 +11307,31 @@ "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "b583da4a2219e9b0c1ca1bbb77ab1d2d1fa46c5e8caddef587789c410db5b995", "type": "machine_learning", - "version": 310 + "version": 309 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", "sha256": "48fc5e51a731f7f4cd946c1dd4f14311045c44adaeefced003d70db94d583d69", "type": "query", - "version": 108 + "version": 107 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "rule_name": "Dynamic Linker Copy", "sha256": "74975fc1c4e9c6ba277040431b9fdeb13dcda0d536146b120add215ed4d701df", "type": "eql", - "version": 217 + "version": 216 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", "sha256": "83dd265459b1aa87e352d134366f7a3ddb21c45e95d2c3239472e71faefe7530", "type": "query", - "version": 211 + "version": 210 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", "sha256": "e4dc1206fa6f829adfd9c13606980e85749ca4905cf5b656b4f4c60403d268c6", "type": "eql", - "version": 10 + "version": 9 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -11392,43 +11349,43 @@ "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "3f71996afbee4c685c8f52997c9df48706ea01c6b2de558474316098cbd78701", "type": "eql", - "version": 212 + "version": 211 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", "sha256": "eda677d08740a19834e652dd899736788b11c6cd08b52433e01e03a32ff45778", "type": "eql", - "version": 10 + "version": 9 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure VNet Firewall Policy Deleted", "sha256": "42fd83bb3ed5bb7a69511e4c90baba7006569871c9591996af8add54ba3f9535", "type": "query", - "version": 109 + "version": 108 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { "rule_name": "KRBTGT Delegation Backdoor", "sha256": "e267d4a1c0816edee33949500b7845ddffbc71f9e886b046cead5b47b8e3ffb8", "type": "eql", - "version": 215 + "version": 214 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "e589be7d2f86dabb5960decd210508e1d28f819cda2df6b1bb9b7902a8b06c62", "type": "eql", - "version": 115 + "version": 114 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "834c73e30108eabb04f904e2f9fb59222b3e3be8401ea3dc2ee9e6d14a39e09e", "type": "threshold", - "version": 418 + "version": 417 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", "sha256": "009201c6e671258aeae2bedc88405596018aabb7b315facd99b1f46ae2585cd3", "type": "eql", - "version": 112 + "version": 111 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -11440,13 +11397,13 @@ "rule_name": "Azure Event Hub Deleted", "sha256": "c2a4134579286f6aa1a9ecb0c4e6b4e70eafff7901ea15b721a52a78df45774d", "type": "query", - "version": 110 + "version": 109 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS EC2 Route Table Created", "sha256": "9b67864d91e23c630e30222f8b30ed291ee313d56d56ea5b11db2d831b11f177", "type": "new_terms", - "version": 215 + "version": 214 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "Deprecated - AWS RDS Cluster Creation", @@ -11458,7 +11415,7 @@ "rule_name": "Connection to External Network via Telnet", "sha256": "531ef817962d765ea1d1873aaba42843ea3beaae12f70d493be1b6b58326b983", "type": "eql", - "version": 214 + "version": 213 }, "e1db8899-97c1-4851-8993-3a3265353601": { "min_stack_version": "9.4", @@ -11474,13 +11431,13 @@ "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "sha256": "f99d7c4b92f8aa673ebfc37fc27f755a33e5229dfab0fe63a64aeef8a64e7a63", "type": "machine_learning", - "version": 108 + "version": 107 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "rule_name": "Suspicious Mining Process Creation Event", "sha256": "c6b59218f0bd6a67c42d0853ef8efecafa69decfbdb0aa5c7f7edfe917c74a92", "type": "eql", - "version": 113 + "version": 112 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "9.4", @@ -11496,91 +11453,91 @@ "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "c5424dd0ac4759274a714f7da569350b4c2f72b6cda74241734321138dd7a90c", "type": "machine_learning", - "version": 209 + "version": 208 }, "e26c0f76-2e80-445b-9e98-ab5532ccc46f": { "rule_name": "Full Disk Access Permission Check", "sha256": "e7bb1fd6bdeaf8d10f670322c516617a75eaaa78ba368b994860add677b7f488", "type": "eql", - "version": 3 + "version": 2 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "330e090e05d199d784a30dba2d9a2b95c747892566f0625825f70a6c9a46c893", "type": "query", - "version": 323 + "version": 322 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "rule_name": "Network Traffic Capture via CAP_NET_RAW", "sha256": "fab7fa210a76157c989ee04aefd0795f455e6c208c1448b2998bc869fbc08430", "type": "new_terms", - "version": 8 + "version": 7 }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { "rule_name": "Suspicious pbpaste High Volume Activity", "sha256": "10d2ec7341493ccc024bc77312d038463740052c2544a13310264eb38ec7352a", "type": "eql", - "version": 6 + "version": 5 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", "sha256": "0f802b676e0147391d3eea1fc954cdbc66de1ad2fe46885703ab67114a37fe22", "type": "query", - "version": 215 + "version": 214 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "rule_name": "System Network Connections Discovery", "sha256": "f40303a3b6fe56ee00bf1284cc98b8436149887e35ef2c1c694e84084ad8f79c", "type": "new_terms", - "version": 9 + "version": 8 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "04376f49d3990dd86495c5322be8f5874dcdbda9800cd52e23e796d938b71bff", "type": "eql", - "version": 216 + "version": 215 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "2a2acd0d225dd9d8108f917f710d14db75d681995fd899aa981695fd4099ed06", "type": "eql", - "version": 220 + "version": 219 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", "sha256": "320dce36d39b239293241a690b6787ec6882b7ecdc06c47d04b83e1b21d0242f", "type": "query", - "version": 109 + "version": 108 }, "e302e6c3-448c-4243-8d9b-d41da70db582": { "rule_name": "Potential Data Splitting Detected", "sha256": "70959d883cd0b3cf2e76630d3a39639178bb9c1f3664108165d1b139efff9d29", "type": "eql", - "version": 108 + "version": 107 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", "sha256": "060bd0e9905307e347187d0f7842f8203cb47e8722ab5137d88a4a17ee7fbf5a", "type": "eql", - "version": 320 + "version": 319 }, "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": { "rule_name": "FortiGate SSO Login Followed by Administrator Account Creation", "sha256": "cae7737dc54b6466c847d786b61bf90bd201f9da376d07c052e4788915499dab", "type": "eql", - "version": 4 + "version": 3 }, "e3bd85e9-7aff-46eb-b60e-20dfc9020d98": { "rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties", - "sha256": "16131654c5affdba210f70ec3c2fb8fe4f4bfa1035c942ad523946e7095ba136", + "sha256": "a372e57ef0cef6f9c6715b56c0715f3e8ac8e1a4d65dc400f90aa6c3b39e9bfd", "type": "esql", - "version": 10 + "version": 8 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC", "sha256": "3b98604c6f720ab440e9969e3346fc5362018681bd80872c3f4fb70111fa3f4c", "type": "query", - "version": 214 + "version": 213 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", @@ -11592,55 +11549,55 @@ "rule_name": "AWS Discovery API Calls from VPN ASN for the First Time by Identity", "sha256": "902d233527477d56bcbc2c834c105bf68b4b29cb533c1e1b99a2b114cf40f1c8", "type": "new_terms", - "version": 2 + "version": 1 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "e31a7dca3b6a465b5101c181f1b879b428da800176d02b1221220729aaf0d431", "type": "eql", - "version": 212 + "version": 211 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "rule_name": "KDE AutoStart Script or Desktop File Creation", "sha256": "86251b2eca0b5f3acf7e5da5bfb34467b59c79339df8798d4a928e1e2efc6cad", "type": "eql", - "version": 221 + "version": 220 }, "e3f5a566-df31-40cc-987c-24bc4bb94ba5": { "rule_name": "Persistence via a Hidden Plist Filename", "sha256": "e10babd2a4c59e058435d104fde73fcff04b3edff61dc053e1e33516665a6c8e", "type": "eql", - "version": 2 + "version": 1 }, "e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": { "rule_name": "SentinelOne Threat External Alerts", "sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e", "type": "query", - "version": 2 + "version": 1 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "79becf1ff7996919b22b9cac49062931ff331b772499da8b3f52b527c7dfeb78", "type": "new_terms", - "version": 112 + "version": 111 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "bdb8ba5a49e48f7068f93d065fa8dae667a8f2b828e9d74eeb56ab6119ff210b", "type": "query", - "version": 416 + "version": 415 }, "e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912": { "rule_name": "Sensitive Identity File Open by Suspicious Process via Auditd", "sha256": "374ca4536093e555bbef4ff26ebe4be6c8bcbbab2c9b655caaecca14ce351224", "type": "query", - "version": 2 + "version": 1 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "2835e011c2b091e7ca7df56076492ae247ab5a85004aa4b5799ea204433c5b33", "type": "eql", - "version": 215 + "version": 214 }, "e4feea34-3b62-4c83-b77f-018fbef48c00": { "min_stack_version": "9.2", @@ -11656,31 +11613,31 @@ "rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token", "sha256": "58839416fc9659a82bb183c3877b216b52626c83025ba5e2caffa9396998ce00", "type": "eql", - "version": 107 + "version": 106 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "23a60ea4249e0fcdf1f870c4a69bd461fdadf3f92058a07315813a7b88e72d3c", "type": "eql", - "version": 220 + "version": 219 }, "e516bf56-d51b-43e8-91ec-9e276331f433": { "rule_name": "Network Activity to a Suspicious Top Level Domain", "sha256": "7a5e47f5bd44607aa08a96e9f60e4b5e3e991f52a1a3e2ad835a3808872c2cbe", "type": "eql", - "version": 5 + "version": 4 }, "e5420ced-bc42-4783-a8df-99320567e090": { "rule_name": "Entra ID OAuth Device Code Phishing via AiTM", "sha256": "8bde43506fd1c2d1913d4fd289c639bf62d870c4fafc812c8d964ce2ebee5ee0", "type": "query", - "version": 2 + "version": 1 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "a6c636f24c7cf63487a0db4ee93fdb305a9e7766647d78bc310af47ac06f4733", "type": "query", - "version": 211 + "version": 210 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -11692,127 +11649,127 @@ "rule_name": "GitHub Authentication Token Access via Node.js", "sha256": "6a417d5d405f2f5407cee4783101473ada9b188d889fb655c65694110b02a589", "type": "eql", - "version": 5 + "version": 4 }, "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": { "rule_name": "First Time Seen DNS Query to RMM Domain", "sha256": "4572e3ea14df0faf4b8084faac4976128fcfc92c6bfc45ba262f2580675fd50c", "type": "esql", - "version": 5 + "version": 4 }, "e5f9a1b2-3c4d-4e6f-a7b8-9c0d1e2f3a4b": { "rule_name": "AWS EC2 Instance Profile Associated with Running Instance", "sha256": "226b26472af2c538610d1e0a15b1a952dd0fba90d63486b1e74c9a11f2ad4ea2", "type": "query", - "version": 2 + "version": 1 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", "sha256": "2fd375388407792fd51a8969b707aa25f45b320020108a7979676d7a7f9a867e", "type": "query", - "version": 109 + "version": 108 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", "sha256": "17b73d3e39ffba68bb956e466370e9d6eaa7ebe30fc50598af1a624b1e18229c", "type": "eql", - "version": 113 + "version": 112 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "rule_name": "Possible Okta DoS Attack", "sha256": "f9ff8587149b2afa762f584f9089d3731b0b31ba76799adcff06c4fb444ae831", "type": "query", - "version": 415 + "version": 414 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", "sha256": "048555dd2466b4a537ebc22441d66a2efefb466f5505a45d435f0319e2802734", "type": "eql", - "version": 114 + "version": 113 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "727bfa432760b50171e1894d8c8b244ab5ccfc62c5b925c757c41d179d78d45c", "type": "query", - "version": 111 + "version": 110 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", "sha256": "22885ae14d09906f786705183a0dfa366fb542f4048dbe5e5b30dc12c0ac3e22", "type": "eql", - "version": 7 + "version": 6 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "rule_name": "Execution of Persistent Suspicious Program", "sha256": "17d574e7c23e80225a66e3a65e6914c036850e0db1f4e6e732f50f3c24f8f160", "type": "eql", - "version": 213 + "version": 212 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4b20d1a797938d4bf6c8b100b8530798861aa4c34bac581498f7f945caa17d5d", "type": "eql", - "version": 314 + "version": 313 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", "sha256": "a945f7bf00629ecb400737b7b14b28993acd3c43139ce6dd8fe3d023b380a938", "type": "eql", - "version": 7 + "version": 6 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "rule_name": "Unusual Process For MSSQL Service Accounts", "sha256": "f0e1c5528f65f66b87d2190eb338e758a3f0d5b44557e8e747dbefac8ca09623", "type": "eql", - "version": 8 + "version": 7 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "f55de11949383e8ffb3a4192eecf14866875ceeaa57bde8ee624939ca76fd6be", "type": "eql", - "version": 209 + "version": 208 }, "e7856173-6489-449f-80ec-c1f5fcd7b87c": { "rule_name": "Suspicious SUID Binary Execution", "sha256": "3ab2883a81df88c4292ed8b020245160915a89cf093f6328b0214b58896d1ccd", "type": "eql", - "version": 3 + "version": 2 }, "e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b": { "rule_name": "Curl or Wget Execution from Container Context", "sha256": "3f8ae9fc98a4b5464696708a194db0dadf788ad1d2c77233c68f478030024d14", "type": "query", - "version": 3 + "version": 2 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "rule_name": "Potential Linux Credential Dumping via Unshadow", "sha256": "a04dbcb36c1f1c440b37f7cae577b3ece10b72efdbfcddb813460c826ebc9310", "type": "eql", - "version": 115 + "version": 114 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS EC2 Route Table Modified or Deleted", "sha256": "2205c6c53afda6b21954cb4f3f25c96fc5c6978dda5e38205c466147e8b8c8f4", "type": "new_terms", - "version": 214 + "version": 213 }, "e7e0588b-2b55-4f88-afd1-cf98e95e0f58": { "rule_name": "Suspicious Outbound Network Connection via Unsigned Binary", "sha256": "0cab3f24cd193b08178b94d7a007dffe133ccb4bce1d98ee99aeee1e030c00eb", "type": "eql", - "version": 3 + "version": 2 }, "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": { "rule_name": "Potential Protocol Tunneling via Yuze", "sha256": "412e9aaeeb919c12903d28a97892e212d3f62b2429054811f7956dceb7871b7d", "type": "eql", - "version": 5 + "version": 4 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", "sha256": "9dadc34c752b9bc0928030b436c8dc050e4c931a424ac3abd0aabc8c86180945", "type": "eql", - "version": 7 + "version": 6 }, "e819b7eb-c2d4-4adc-b0c9-658aeb140450": { "rule_name": "Lateral Movement Alerts from a Newly Observed User", @@ -11824,61 +11781,61 @@ "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "d84f36a2afbc144fef44ad9e64b127adac38a0aa0a79935942cc31275e6af59f", "type": "eql", - "version": 221 + "version": 220 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", "sha256": "96b67730d8ffb341e813867e0276ae18c765a4a89c3710d2963454743335821a", "type": "eql", - "version": 316 + "version": 315 }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Microsoft Graph Request Email Access by Unusual User and Client", "sha256": "afb5abbe83d85e4bfc0c4355dcb0fcdc60a91012e0ee14f6f6fc77e177fcda7a", "type": "new_terms", - "version": 7 + "version": 6 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host File System Changes via Windows Subsystem for Linux", "sha256": "d3e0d905b618b1535f2deed8102de10f9c45d79e7038e76eab62094063d444b0", "type": "eql", - "version": 115 + "version": 114 }, "e8b37f18-4804-4819-8602-4aba1169c9f4": { "rule_name": "GitHub Actions Workflow Modification Blocked", "sha256": "6938ae0fe092466ebe7a800629949a38ad4eb3da443917c54766b67839d2912d", "type": "esql", - "version": 7 + "version": 6 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", "sha256": "af263b39de7d96dc66778483b32a18131d2d78f294fccb516b20f02b3561d26a", "type": "eql", - "version": 11 + "version": 10 }, "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { "rule_name": "AWS DynamoDB Table Exported to S3", "sha256": "e9c43384f812c32ac9f5ea58d4ce394b5a607f68a6941a3949ad2dd1c8c6ed49", "type": "new_terms", - "version": 8 + "version": 7 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", "sha256": "bed94ea17205b8c891d4ddb047a885b0302d991f1f9be008ba2c8dc7e4483618", "type": "new_terms", - "version": 113 + "version": 112 }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", "sha256": "b59e0cbc56c4fb53787bc00632c6ceab167a0694f6b7fecc962d87dbbea24286", "type": "esql", - "version": 14 + "version": 13 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "bf0cca05ac39585a934fe378753788c53700f3e8756741b90086a08ec42e370c", "type": "threshold", - "version": 418 + "version": 417 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "Deprecated - AWS EC2 VM Export Failure", @@ -11900,25 +11857,25 @@ "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", "sha256": "5b22d537d80ab2e0d67e5b165b971868811ca16c1d70bb8c02f4909f50c8945d", "type": "machine_learning", - "version": 109 + "version": 108 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "d6c1aa3c45cbcc3f9d96b8f85efd889c870bb8993049a36ef372ca20e882d8c7", "type": "eql", - "version": 319 + "version": 318 }, "e9a3b2c1-d4f5-6789-0abc-def123456789": { "rule_name": "Ollama DNS Query to Untrusted Domain", "sha256": "5e3e4830d4541a4e622121b68abbd2dfd611a6127af90ffcc80d8a462369afc5", "type": "eql", - "version": 3 + "version": 2 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", "sha256": "baa994c1fe7f4dc602b62d56e07acb6a0e3752a04ab6347f182416d3ae2a0465", "type": "eql", - "version": 112 + "version": 111 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "min_stack_version": "9.4", @@ -11934,7 +11891,7 @@ "rule_name": "Spike in Remote File Transfers", "sha256": "b5fc44379578795228550e1b83eaeb9e7e0126f4ed99201198f0cefb85c52110", "type": "machine_learning", - "version": 110 + "version": 109 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -11946,13 +11903,13 @@ "rule_name": "AWS EC2 Serial Console Access Enabled", "sha256": "50914bbf617175010dadedcd2ca391ecc37c172b7ed25599aa28b3f97dd1e043", "type": "query", - "version": 4 + "version": 3 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", "sha256": "7c465669f1e16c050c57c78eaf0a6374fc5a02a2a17346e81ea0e4e1ce2aef99", "type": "query", - "version": 108 + "version": 107 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -11974,25 +11931,25 @@ "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "18f984692e2ec7a1945f11db130429aaea89ba4e32aa4187f2def7337275a873", "type": "machine_learning", - "version": 212 + "version": 211 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy", "sha256": "aa1c1625dd82eb24ec01c42ec65095f631d903642a4a3e7aed22ba4a1355b97f", "type": "threshold", - "version": 217 + "version": 216 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", "sha256": "43fbc760dbb9d213111df81edfb92ab4f4902eb6c46f5bdfe3b1f0e215a38432", "type": "machine_learning", - "version": 110 + "version": 109 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", "sha256": "0392cad4ebbd3925824fb6d7902f524c2bc25be9f9b7c642869fb070d18502d2", "type": "eql", - "version": 11 + "version": 10 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", @@ -12004,19 +11961,19 @@ "rule_name": "Telnet Authentication Bypass via User Environment Variable", "sha256": "addac13158f89b3addaf29024a1c49c9396a2f87bc029975ea1f19735fcb49ab", "type": "eql", - "version": 4 + "version": 3 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "f994e110b50cb2736e928c79c4c504229652f18fda04a1328cd19dc6f0b6eb27", "type": "query", - "version": 111 + "version": 110 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "eaa7dc28c0ba71007f9a46582afef0a8096c44e0a86adce631ad580e33bc8acc", "type": "query", - "version": 219 + "version": 218 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "rule_name": "Suspicious Network Connection Attempt by Root", @@ -12028,38 +11985,38 @@ "rule_name": "Behavior - Prevented - Elastic Defend", "sha256": "02eda12d21fbff98e95223ba0596351a3c2e483be002663151be5c250edadc69", "type": "query", - "version": 6 + "version": 5 }, "eb958cb3-dead-42b6-94ff-b9de6721fab2": { "min_stack_version": "9.3", "rule_name": "Curl SOCKS Proxy Detected via Defend for Containers", "sha256": "b1f046cc6ad9e006048ddfcacca9aa967e5c89498422580dacd3eb6f803018d1", "type": "eql", - "version": 3 + "version": 2 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", "sha256": "a983e45d426bb8f3a4ef45dfd2f57506e858af2344cca3033b44a1671fdaa745", "type": "eql", - "version": 216 + "version": 215 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "56231d3c8e57ad67eef559e631d5025fa3d21b1307ebe044ebf1101c9f679348", "type": "eql", - "version": 420 + "version": 419 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", "sha256": "15c46a24e64047ef68bd03a84b821a716b491971416ef9b02883d970c07d56c7", "type": "eql", - "version": 319 + "version": 318 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", "sha256": "bc67d00162d4bd5880558c09ba1388898c1594d83fe5d71927eaed1a8669f51e", "type": "eql", - "version": 321 + "version": 320 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "9.3", @@ -12075,13 +12032,13 @@ "rule_name": "File Execution Permission Modification Detected via Defend for Containers", "sha256": "4684363244e89ea872ffc5b25a90561dc40b3e284b58a2c4d394889bed620bf0", "type": "eql", - "version": 108 + "version": 107 }, "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": { "rule_name": "Kubernetes Forbidden Creation Request", "sha256": "09dc580af4f250fb15a73dc047af068447edce0b410ee07b9845a39184a09496", "type": "eql", - "version": 4 + "version": 3 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "M365 Exchange Inbox Forwarding Rule Created", @@ -12090,16 +12047,16 @@ "version": 213 }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { - "rule_name": "Suspicious Instance Metadata Service (IMDS) API Command Line Execution", - "sha256": "5dca349ec2b34ee711601e1eb5406883c80c7b9c3409d38cb345cace5c3288df", + "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", + "sha256": "33d196de5eaecf3864a3bb8ee494aaa4ee44ed5a27f25e452bcf28fa226c22dc", "type": "eql", - "version": 10 + "version": 8 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", "sha256": "b9cbdb757c2d5778d0c1a517bd488966edd65b3f3716a9afe62b215d97b44f5d", "type": "eql", - "version": 5 + "version": 4 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "Deprecated - AWS RDS Instance/Cluster Stoppage", @@ -12111,55 +12068,55 @@ "rule_name": "Unusual Remote File Creation", "sha256": "f29aab770fc7ef7708a96949b02b0e60282b7199951b302c2fdffbd1893bb9e9", "type": "new_terms", - "version": 8 + "version": 7 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Entra ID Global Administrator Role Assigned (PIM User)", "sha256": "7cc31a789b7c74143fda38cba04d25c2603889e20c7dcd188f4ece32bf1d1426", "type": "query", - "version": 110 + "version": 109 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", "sha256": "5da6851210dd75f83e92706270154d54c07273e615cfe18134a17e7bf4ee3969", "type": "eql", - "version": 320 + "version": 319 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "703363f0e0174c2ee80e6f77652694e5162cc28d87e1c2e204dca58e5356c34c", "type": "query", - "version": 415 + "version": 414 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "2ad58626d16eda853776294192c4b7c37d50f48d4f20496bcdbc93e9f3d61f2e", "type": "eql", - "version": 322 + "version": 321 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", "sha256": "5560af4da75f6828cfd7b29908eba789035a6a7fb66d4380dc6d4acc5ff5a967", "type": "eql", - "version": 11 + "version": 10 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "rule_name": "Okta FastPass Phishing Detection", "sha256": "6dbed41461451dc5040bb4d309300f105a9ff9e96c0e3dcf65baa67ffdd640af", "type": "query", - "version": 313 + "version": 312 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", "sha256": "680b0b509c4530e793e2e495bc660350fca76194950aca3d7499505c0eed9ade", "type": "eql", - "version": 218 + "version": 217 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", "sha256": "ed57ac9eacaf051cab3aeae3f09c0a59fdfb7eb9ca18e4ceada98adc47ac6bc6", "type": "eql", - "version": 5 + "version": 4 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", @@ -12171,13 +12128,13 @@ "rule_name": "Suspicious Execution from a WebDav Share", "sha256": "cb9ecbc855c3a9bf371ed5766b1f1a6cef2acba08494acf22942d88981b9a3c8", "type": "eql", - "version": 5 + "version": 4 }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "7e94ba5f3a71b92a82127fd13074b0a47b5a195b6185a0c91e3dde09717423a4", + "sha256": "7a0362350bccdcf49752c63e045a43a649ae3127354129648e3ebd3c78e2b713", "type": "eql", - "version": 115 + "version": 113 }, "eef9f8b5-48ec-44b5-b8bd-7b9b7d71853c": { "min_stack_version": "9.3", @@ -12193,25 +12150,25 @@ "rule_name": "Kubectl Apply Pod from URL", "sha256": "2871a014569f179baaf61a47aa3ed4dac8c9d1cdfcf046caa1f02877fa61f0fc", "type": "eql", - "version": 104 + "version": 103 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "rule_name": "BPF filter applied using TC", "sha256": "a3ca2a4019b1f9b82a42cdaa30c22e6b21138566a0f076dff76cc58ed8d5d943", "type": "eql", - "version": 216 + "version": 215 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", "sha256": "8641c7f69ff921eb91354ab0425fd0d989f5bf8bdaea934338fa5e03118cab42", "type": "eql", - "version": 114 + "version": 113 }, "ef395dff-be12-4a6e-8919-d87d627c2174": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option", "sha256": "e9dbef389b92ca88b2b526127180bb1f77f872b82ed5506e5e3531967903bfa3", "type": "eql", - "version": 6 + "version": 5 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "min_stack_version": "9.3", @@ -12227,13 +12184,13 @@ "rule_name": "Potential notify_on_release Container Escape Detected via Defend for Containers", "sha256": "fac418cef4e709d91017ce5c1eeaa17b08e05b05e91e0e7584f00c36d2c239ad", "type": "eql", - "version": 104 + "version": 103 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", "sha256": "1db39e102de230f0e5f11a6c3d8bc5633bbbb419481894a8935bb3421b5cf5c7", "type": "eql", - "version": 220 + "version": 219 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "min_stack_version": "9.4", @@ -12249,91 +12206,91 @@ "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "sha256": "71567755940d538c15fd90849caad5bf4ee4a89e0afd72f43b9ceac4f9ec3f1b", "type": "machine_learning", - "version": 109 + "version": 108 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "90d47b1e899493d89143f8cd27fabf5811ebff7fe3c0fc8cefd0ad0f234155d4", "type": "eql", - "version": 215 + "version": 214 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", "sha256": "8f7b437675b9cbd0e34995768cab78c83a9aaf0aa77c6029975fa1df36288295", "type": "eql", - "version": 114 + "version": 113 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Okta User Assigned Administrator Role", "sha256": "2fd1365685f9e79ac576991cdb849afc70a64f0b0a5704b845cb04f44a7892c1", "type": "query", - "version": 416 + "version": 415 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "sha256": "086b4d37de07398af3828f86c06b19b7daa37d14b98d16b1236a284a3e119b99", "type": "eql", - "version": 116 + "version": 115 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Diagnostic Settings Alert Suppression Rule Created or Modified", "sha256": "8b1cd77d90733f7dbd27b5fa93888a24d03bd9e802b97882331f8fd173e040cf", "type": "query", - "version": 110 + "version": 109 }, "f0cc239b-67fa-46fc-89d4-f861753a40f5": { "rule_name": "M365 or Entra ID Identity Sign-in from a Suspicious Source", - "sha256": "12a6f5eeb93353e06ee26685e0f49e87f4447df42a8a21c140b0e7729fc41860", + "sha256": "b018cb831bab9746612fb38c1c6080689b2ab4bb4ccfa34a88b794eb86e4b5a7", "type": "esql", - "version": 9 + "version": 7 }, "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { "rule_name": "dMSA Account Creation by an Unusual User", "sha256": "28416e6918e51a300324bffb33451ff11a943ec5dc6075a7cd04e1d85f4fcb07", "type": "new_terms", - "version": 6 + "version": 5 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "32ada2c4a68d705cc598de4bde5cc1be7e0516bae9dad176373243f9fc65c0c2", "type": "eql", - "version": 112 + "version": 111 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "rule_name": "Suspicious Child Execution via Web Server", "sha256": "92e68a660ef180ceb453fee81c78a5fdc2c39b9351c923d2aca6901a11f0e360", "type": "eql", - "version": 114 + "version": 113 }, "f18a474c-3632-427f-bcf5-363c994309ee": { "rule_name": "Process Capability Set via setcap Utility", "sha256": "dbc36b11a558109353c290252cfc47fa5b88768748732ceb11ed91403dd76705", "type": "eql", - "version": 107 + "version": 106 }, "f1a2b3c4-d5e6-4789-a012-3456789abc01": { "rule_name": "Kubernetes Pod Exec Potential Reverse Shell", "sha256": "c7e91f6c8b2f39082470926c780b65b578a79523ed0d2eef013c950f9b6f150a", "type": "esql", - "version": 2 + "version": 1 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", "sha256": "fa20fb477b98059cdcedc8515e55e02f1f0f705253f61f5f68683154a52bf7c8", "type": "query", - "version": 8 + "version": 7 }, "f1f3070e-045c-4e03-ae58-d11d43d2ee51": { "rule_name": "Manual Loading of a Suspicious Chromium Extension", "sha256": "ef1b596dbcc21f0ff44dd908eee0347efe6248aa5bdf14b884c61df77b777949", "type": "eql", - "version": 3 + "version": 2 }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", "sha256": "8ad36bf549c8e2d030b047008548086597c14917e95fb16824216d0b6e03fbc9", "type": "eql", - "version": 10 + "version": 9 }, "f20d1782-e783-4ed0-a0c4-946899a98a7c": { "min_stack_version": "9.4", @@ -12349,7 +12306,7 @@ "rule_name": "Unusual City For a GCP Event", "sha256": "8eb28f90d5cd908568c9a395131d2080306c30096616c06ee1c3985dbdaa83f9", "type": "machine_learning", - "version": 103 + "version": 102 }, "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": { "min_stack_version": "9.3", @@ -12362,74 +12319,74 @@ "rule_name": "Service Path Modification", "sha256": "479c0261e46fdc70b821b6577c00bdd690bec74af99f5f6a36350458a33dcaca", "type": "eql", - "version": 108 + "version": 107 }, "f246e70e-5e20-4006-8460-d72b023d6adf": { "min_stack_version": "9.3", "rule_name": "Modification of Persistence Relevant Files Detected via Defend for Containers", "sha256": "3d7e318f67c97976127e145e374accefe76ed153e63466f41c6c788e5a1ba230", "type": "eql", - "version": 3 + "version": 2 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "45f3aba3743e27c3175dc85c3bb918ef1ddeb13d337dd61d81634e7b6d7ed1ce", "type": "eql", - "version": 115 + "version": 114 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "rule_name": "Potential OpenSSH Backdoor Logging Activity", "sha256": "327423f201c4aefab10ca8e4a5e9604d884907651d4475cc37c199a277b289a8", "type": "eql", - "version": 216 + "version": 215 }, "f2a3b4c5-d6e7-4f89-a012-b3c4d5e6f789": { "rule_name": "AWS STS GetFederationToken with AdministratorAccess in Request", "sha256": "91174dba23bc43a851dead24976835e0676adbd66157638393d08f763e89f99e", "type": "query", - "version": 2 + "version": 1 }, "f2a8c4d1-6b3e-4a9f-8c2d-1e5f7a9b0c4d": { "rule_name": "Potential Privilege Escalation in Container via Runc Init", "sha256": "6fbd2f2d731383ed9178b410b4cafc180a818c0b740dd9a77422871ea17e10e1", "type": "query", - "version": 2 + "version": 1 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Detected - Elastic Defend", "sha256": "41ad2b2030986dcdd6d5acd828d369cbf10f4b53afd0cbc73f44834f48ac57aa", "type": "query", - "version": 6 + "version": 5 }, "f2c43e8c-ccf2-4eab-9e9a-e335da253773": { "rule_name": "M365 Purview Insider Risk Signal", "sha256": "7b79f31c41b50f2de307dec4edf986446644ccdd5d81087cd0d65070e5bc6841", "type": "query", - "version": 2 + "version": 1 }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", - "sha256": "6ff7d13565c3fa8aaf9cead54500dbc3dd13e124a87f2b6c7eaf2d0d528cd55f", + "sha256": "fb2f06600975682327919ea6da257a7190a1e93ff582838cf3175181d49386cd", "type": "esql", - "version": 7 + "version": 5 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", "sha256": "dd9efc0a3ffb4c20b6356fa5966046c6d5c8014667ba8d56f8028261e21cd508", "type": "eql", - "version": 317 + "version": 316 }, "f2e21713-1eac-4908-a782-1b49c7e9d53b": { "rule_name": "Kubernetes Service Account Modified RBAC Objects", "sha256": "970354cbf4c8525c8836fda8fdd3ab8f107769ab8b4d4a7c341afd376449a261", "type": "query", - "version": 4 + "version": 3 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", "sha256": "e67746f8ea85b9aebd84e067fe5be4217f8d5382337a0a23661ea8202ab92a64", "type": "eql", - "version": 317 + "version": 316 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "Deprecated - AWS RDS Instance Creation", @@ -12441,49 +12398,49 @@ "rule_name": "Google Workspace Object Copied to External Drive with App Consent", "sha256": "9d1a8b1da8853216b701b3b7ccea1089b6689b2a0de289b79746bd6a7db343f0", "type": "eql", - "version": 14 + "version": 13 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "sha256": "e86a0477a7cb46e3ade238a3b3e865a455c9ce4830f4b82a07926f3c757e1546", "type": "query", - "version": 10 + "version": 9 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", "sha256": "79000745ecb9f28c29dc37aa11e735c6fd1e2071d72b6c828cdc06293ce6d97b", "type": "eql", - "version": 219 + "version": 218 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", "sha256": "0514c676be47b85dcf14f42d8d1cdf053122f7506f0b5eef242a105e5dfe4ed1", "type": "threshold", - "version": 110 + "version": 109 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", "sha256": "6a81be3e4096d5230ed6ddb6d5e9ed0624a4404f651a9aaaee9491b33a744050", "type": "eql", - "version": 11 + "version": 10 }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", "sha256": "461cca8e6da44cb954ccd1568e0195772daa254860053359bea965b58e5b3560", "type": "esql", - "version": 12 + "version": 11 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", "sha256": "e0cd0eab0070a7deca66e3db5b6508709873263b818c68be1f560cd32e5ccbb1", "type": "new_terms", - "version": 7 + "version": 6 }, "f3ac6734-7e52-4a0d-90b7-6847bf4308f2": { "rule_name": "Web Server Potential Command Injection Request", - "sha256": "18b9d436c23a244a1c4fe534f6f95c583b675b339e0759f03ee429d00de80a5f", + "sha256": "5812c308169a8a574e71c2c86b2e0de69913521b67e5d655346bf0f7e65fb092", "type": "esql", - "version": 8 + "version": 6 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -12495,7 +12452,7 @@ "rule_name": "Remote Desktop File Opened from Suspicious Path", "sha256": "8eb6f9850d1ca4101a9c31eef37742993dbb0a0b9ea08a5e1bd5e36338f86abe", "type": "eql", - "version": 10 + "version": 9 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation", @@ -12507,37 +12464,37 @@ "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "553406e7a5fe05f12c98e908e130c595f11aad5ba24d6521b3cb95431f1220cf", "type": "eql", - "version": 315 + "version": 314 }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Pluggable Authentication Module or Configuration Creation", "sha256": "4e7927ea9ee84da27a6bc1fc12f753e2d873328a3a1f8113354afe2c2889690e", "type": "eql", - "version": 10 + "version": 9 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal", "sha256": "fae91cdc5143504077c9cc353440c3df9dc19a9fb86b257633e5cee480d0754f", "type": "query", - "version": 220 + "version": 219 }, "f4b857b3-faef-430d-b420-90be48647f00": { "rule_name": "OpenSSL Password Hash Generation", "sha256": "578fa837f0af51bf69c436d7ba2cc8d249f7fc6cfc00be5c25b0ba71b3069fa7", "type": "eql", - "version": 7 + "version": 6 }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", - "sha256": "a3488ceb0564d887f46fe146dad6bca90a9eb402a00ee3b6b223a4b68183c68a", + "sha256": "f9eaf69ddd185f8b4c607c763db8ca5e3206d6599f48108b961d0a79fb572322", "type": "esql", - "version": 9 + "version": 7 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", "sha256": "2ecc5312b7dd25b04f1124d44fdcf991f2650e3684b81ba6910730dbb18db5b7", "type": "new_terms", - "version": 8 + "version": 7 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -12549,19 +12506,19 @@ "rule_name": "Suspicious Data Encryption via OpenSSL Utility", "sha256": "6212d9d93c65c1e446bdeb51474d2abaded9566ccad6cbc8ef83ff0fed9163ac", "type": "eql", - "version": 13 + "version": 12 }, "f541ca3a-5752-11f0-b44b-f661ea17fbcd": { "rule_name": "Entra ID Sign-in TeamFiltration User-Agent Detected", "sha256": "3f339217cd8eae50f29ce9fcb9124f0a7526f85b0ad85961b8583156f1823d6d", "type": "query", - "version": 4 + "version": 3 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", "sha256": "f633d19c3abff0200df7cb8e9904664c8aac48f10ecf058e5eacbfc730a9c3d6", "type": "eql", - "version": 318 + "version": 317 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", @@ -12573,32 +12530,32 @@ "rule_name": "Rare SMB Connection to the Internet", "sha256": "7cba8d9dc86077834c99f4032ae1cfd0578a03e74b98f5af2a786a578f374476", "type": "new_terms", - "version": 215 + "version": 214 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "e2478afe8591053489cbda3bfcc55b4842a4119642e5d56d3ce788a9179b5c3f", "type": "query", - "version": 112 + "version": 111 }, "f596175f-b8fd-43ac-b9e9-ea2a96bb55d8": { "min_stack_version": "9.3", "rule_name": "Kubelet Pod Discovery Detected via Defend for Containers", "sha256": "7723c687b0c450f64a00cee36d7c3931bd7c021d6ff6833cf9c9271a2a5f42f7", "type": "eql", - "version": 3 + "version": 2 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "rule_name": "WMIC Remote Command", "sha256": "0e72674c9e5b508cb58ff78ab6d5d918767df0ff88c1a86cec3981f283555247", "type": "eql", - "version": 112 + "version": 111 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "rule_name": "Setcap setuid/setgid Capability Set", "sha256": "3000740cd69fe252c0029fb2309de620fe221dc6bdbb6873c6de6c6dec2414f9", "type": "eql", - "version": 113 + "version": 112 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "9.4", @@ -12614,56 +12571,56 @@ "rule_name": "Parent Process Detected with Suspicious Windows Process(es)", "sha256": "6087543daca9986a612585855dcfc77d192fd4a1e20ab80710f3619022cc0cc8", "type": "machine_learning", - "version": 212 + "version": 211 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", "sha256": "b8a837130b3b5d74204a8537614a5612a561e68b829c89916fbf5f67d9505c72", "type": "eql", - "version": 13 + "version": 12 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "rule_name": "Account or Group Discovery via Built-In Tools", "sha256": "dc828379a80bcd81d6d54e8910635b11a89acc59e65e859525568e856567c371", "type": "new_terms", - "version": 8 + "version": 7 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "dbf7164e7bc3f1a792a0e2ee5a048cbda99b3aed0d7af7693f32134c4bdab517", "type": "eql", - "version": 318 + "version": 317 }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", "sha256": "1dff4a3354ffb01188e7144a8483bb555136a03b278e0b3410d4233e5fd77d8b", "type": "eql", - "version": 10 + "version": 9 }, "f66a6869-d4c7-4d20-ab13-beefd03b63b4": { "min_stack_version": "9.3", "rule_name": "Environment Variable Enumeration Detected via Defend for Containers", "sha256": "4940432d89d05102af4274afb80384ca2bda0d452e0521a1afc0879a5237b699", "type": "eql", - "version": 3 + "version": 2 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "3eecb4705dfa3aca68572467da4f1e62c4ff2fa7df0aefd85aca9094d24a9f29", "type": "eql", - "version": 317 + "version": 316 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", "sha256": "08ad8ed2e2ca485401fa0335d86ab975c721be7927df7d41f56076abb95d7db6", "type": "eql", - "version": 112 + "version": 111 }, "f6a0b2c3-4d5e-4f7a-8b9c-0d1e2f3a4b5c": { "rule_name": "AWS KMS Key Policy Updated via PutKeyPolicy", "sha256": "823e0533246b6570195a0c0456c4cbbe2a722ac375ce8f8b0c850026c5bdb314", "type": "query", - "version": 2 + "version": 1 }, "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "min_stack_version": "9.2", @@ -12679,49 +12636,49 @@ "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", "sha256": "c07fa7fae81922d04accf363a9e78642676d26e8aee182c0560cf0824f2ac45d", "type": "new_terms", - "version": 110 + "version": 109 }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", "sha256": "e9712cbae119495bbc148f3c7ddb66a6c11d34127865165f2a9572d6ecdff0ba", "type": "esql", - "version": 13 + "version": 12 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", "sha256": "55de9b4b300ea2acb263f1cc4cbed9585e7669be566e58e1fa22c6db3d9e7a9c", "type": "query", - "version": 5 + "version": 4 }, "f754e348-f36f-4510-8087-d7f29874cc12": { "rule_name": "AWS Sign-In Token Created", "sha256": "b4f3c7bb4e908abc5172e54beffa1e362454012ebbc480fe2d7ce71b7112cd71", "type": "query", - "version": 3 + "version": 2 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "rule_name": "System Hosts File Access", "sha256": "e74aea796502decaa57c31bdfcbbb1fd65f68a826f3c3e1f3f6fdf7cb458fa3b", "type": "eql", - "version": 8 + "version": 7 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Entra ID Service Principal Credentials Created by Unusual User", "sha256": "6e45ed34b41c65dea5f26b4fd76c9a2d93cd04c869ff1233f8c9f818ae8ea9fb", "type": "new_terms", - "version": 111 + "version": 110 }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", - "sha256": "d2074c011da999162852d4382bbc9a7904cb9936643600eff6a4a08765cc5d7a", + "sha256": "18fe52692212c76a8aa0b987ba3acfd8a6000f9c822bed35cf9ff4813f183040", "type": "esql", - "version": 7 + "version": 6 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "79d4a35620619779083ee70524a8ef1682a27632b98289f7456caa69d6568239", "type": "query", - "version": 215 + "version": 214 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "min_stack_version": "9.3", @@ -12737,110 +12694,110 @@ "rule_name": "SSH Authorized Key File Activity Detected via Defend for Containers", "sha256": "14f95ad2256fe5d602c0c02461a1ad0140159a49d4af60382a20a6d2511f1cfd", "type": "eql", - "version": 107 + "version": 106 }, "f7a131f8-44b7-4957-99a4-e6c54d93d816": { "rule_name": "Potential Kubeletctl Execution", "sha256": "89f8d852aa107f4487eef99b1e6a9d81950c954a0b6533b2f283a5dfdd9a07e5", "type": "eql", - "version": 2 + "version": 1 }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", "sha256": "0df65b003548a28c9f18c010d2dd59a06433f01121e7a155c496e0b44d3cb6c1", "type": "new_terms", - "version": 7 + "version": 6 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "27b911863a0e93338b177cb55bbbcb19a306892e7f2ec0d6e264e1ae71959810", "type": "eql", - "version": 319 + "version": 318 }, "f7c64a1b-9d00-4b92-9042-d3bb4196899a": { "min_stack_version": "9.3", "rule_name": "Service Account Namespace Read Detected via Defend for Containers", "sha256": "9f57c86383c5c1b1e2b9f7f6640f0c0651119f9ae170973ee430a1280981cecc", "type": "eql", - "version": 4 + "version": 3 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "rule_name": "Potential Privilege Escalation via Linux DAC permissions", "sha256": "273a68b602a7b719ceb9864ebcbbf2d46da699434458da9c37a16b290bdcd808", "type": "new_terms", - "version": 9 + "version": 8 }, "f7d588ba-e4b0-442e-879d-7ec39fbd69c5": { "rule_name": "Potential SAP NetWeaver WebShell Creation", "sha256": "1ec092ad267fde831ed0f6df37ec577f9d2275d7956117a0052e4eb35ee7068d", "type": "eql", - "version": 3 + "version": 2 }, "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": { "rule_name": "AWS Suspicious User Agent Fingerprint", "sha256": "27d2eb5e6870d7c227dd3a411c07293fecb8f8f2f775777480a7dd0e02bc409d", "type": "eql", - "version": 6 + "version": 5 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "e1093b274ee488b7ae91e618e9198f2f5fbb2e38c105ebe0d065545ffadd5cf9", "type": "eql", - "version": 317 + "version": 316 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "sha256": "944482376711795146b91fa8d586f565364c9cab3cf94481924fb5d7128846c4", "type": "eql", - "version": 111 + "version": 110 }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", "sha256": "ab72bdf494ad1fe2b76321bce5c7385b100ac9456193bbd02076b9162c828500", "type": "eql", - "version": 11 + "version": 10 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "01d3cd8eb31e61543055122ffea2e86a0bf0f5be3388459c2f465a0301c572cb", "type": "eql", - "version": 318 + "version": 317 }, "f87e6122-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Prevented - Elastic Defend", "sha256": "5f0651f7f44774e085a9b994162b48004c1a1ea83463576e78763c92ceecb71b", "type": "query", - "version": 6 + "version": 5 }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "rule_name": "Potential Active Directory Replication Account Backdoor", "sha256": "8b8cfdc1b6e853232d72a002e0d118a07d7b24e93ac97350d75f63492b64600f", "type": "query", - "version": 112 + "version": 111 }, "f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10": { "rule_name": "Kubernetes Secret get or list from Node or Pod Service Account", "sha256": "54c8912357a44e55f6e5f02a278d9037893b4919c7b4af99370d5049ef288546", "type": "query", - "version": 3 + "version": 2 }, "f909075d-afc7-42d7-b399-600b94352fd9": { "rule_name": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent", "sha256": "1f3539efa4a2f15732756c9d225c458db94a94e3e76db2e5e75c56fc4ef25b98", "type": "eql", - "version": 108 + "version": 107 }, "f92171ed-a4d3-4baa-98f9-4df1652cb11b": { "rule_name": "Potential Secret Scanning via Gitleaks", "sha256": "4861674e448f597aa53a76a1d592c4eeeeb880c7a635868424b52dbd07885f11", "type": "eql", - "version": 4 + "version": 3 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "17321d3d74af2ddb12d9920ceb84fd2b8ca8e772fcb350e32526d5c46c5672c8", "type": "new_terms", - "version": 209 + "version": 208 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "9.4", @@ -12856,49 +12813,49 @@ "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "b6a7707b778a054c85270746ef3d0855539421ee3103f6c883ea68097524173b", "type": "machine_learning", - "version": 209 + "version": 208 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", "sha256": "8f1a587012787e08bd7b994c54b371e5ff8d27a2cf4b52b93f0541c8eeb0a2a5", "type": "eql", - "version": 14 + "version": 13 }, "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": { "rule_name": "Okta Admin Console Login Failure", "sha256": "3677a7454991a183ca50685f05c67cfbb7ab40cf6d1228854c5bc90678c5ed52", "type": "query", - "version": 3 + "version": 2 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "rule_name": "Browser Extension Install", "sha256": "db212e9bc4d6e1742a38a366ddb3b13939e0bbe4e792978053b32dc4fafbcd64", "type": "eql", - "version": 211 + "version": 210 }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", "sha256": "38bd2f9e10713d14fe22bca802a8451930bea026c19babeddec2c1c26e14a9ab", "type": "esql", - "version": 11 + "version": 10 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Accounts Brute Force", "sha256": "8afcd5fb546282c618329fe4b5405930b900d0c5f91b6a3894ab8f38df780dbd", "type": "esql", - "version": 120 + "version": 119 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "3f42d9f4d6c683fa8e24940e81e098732937f7c261ff50f3c743c37d18f8492d", "type": "query", - "version": 414 + "version": 413 }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", "sha256": "9fc867fa956909614f0c374d0eef744aaa01a9f0bc9c8c4cb346e4abe5b2e9f0", "type": "esql", - "version": 13 + "version": 12 }, "f9de0949-94d8-441d-ae9a-8eb1e040acf2": { "rule_name": "Newly Observed Process Exhibiting High CPU Usage", @@ -12910,67 +12867,67 @@ "rule_name": "Remote File Copy to a Hidden Share", "sha256": "703a7a28c0e9d60ac345d7ff3b528565b332ae1f6e8e959878c741327fbc0108", "type": "eql", - "version": 321 + "version": 320 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", "sha256": "9731338ba3f551d2349c7c13e09c98d974880b06e1b03a55ee03454295de4adb", "type": "eql", - "version": 12 + "version": 11 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "rule_name": "Potential Reverse Shell via Suspicious Binary", "sha256": "75eae6a378cd9de230df241678954eca014909ff202bd7530fd66caad62920c5", "type": "eql", - "version": 14 + "version": 13 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "339af3c6decf44171d39eb6af3fe6a811d9c725f06886ed9865a5eabd9310f8d", "type": "eql", - "version": 322 + "version": 321 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", "sha256": "2f19b753f33613c744acac5ad08008b53e8791926ce4f2e512d8f9d0738fe054", "type": "eql", - "version": 114 + "version": 113 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", "sha256": "e1b06ffe4e33874ed8e0700e601b69f3c9138637316c92d5c31067e7384a7006", "type": "eql", - "version": 111 + "version": 110 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", "sha256": "d3f5c7183ddff278c200bf2ed689942fb3e756bea5404573d607b22e0d90da44", "type": "eql", - "version": 213 + "version": 212 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "bf668bb17c3ea7604e554f63825a99d9153ff36affd8b4b9ebb087cba806ff0f", "type": "threshold", - "version": 210 + "version": 209 }, "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { "rule_name": "Azure OpenAI Insecure Output Handling", - "sha256": "799952ea9ded7fa71e9d842e3a27b248bc6c4d49ac83aa56949ca1bd6d6447df", + "sha256": "6d7efa2625569a818bc649d0e39b3174fdce1739aa2da7102b945a217e3912e6", "type": "esql", - "version": 7 + "version": 5 }, "fb3ca230-af4e-11f0-900d-f661ea17fbcc": { "rule_name": "Okta Multiple OS Names Detected for a Single DT Hash", "sha256": "e00405635f604093c0a8a65f92aa45f3a61a087ba4372ea7b1d6a2b5e06d486a", "type": "threshold", - "version": 2 + "version": 1 }, "fb542346-1624-4cf2-bcc7-c68abaab261b": { "rule_name": "Kernel Instrumentation Discovery via kprobes and tracefs", "sha256": "b7658647fd18f717cf27e94dc7503078ad59c72e1477332c507001cd361c4b10", "type": "eql", - "version": 3 + "version": 2 }, "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { "min_stack_version": "9.4", @@ -12986,13 +12943,13 @@ "rule_name": "Unusual Group Name Accessed by a User", "sha256": "667f169cd9b1cccf4aea8c89b3535d32676adf3648fb6ec26bd809d1a57539e4", "type": "machine_learning", - "version": 105 + "version": 104 }, "fb8790fc-d485-45e2-8d6e-2fb813f4af95": { "rule_name": "Dylib Injection via Process Environment Variables", "sha256": "3da41c31ba94d685cd75f85322328359014c5be38f21ccf09593a68bf338b641", "type": "eql", - "version": 3 + "version": 2 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -13004,7 +12961,7 @@ "rule_name": "Potential Fake CAPTCHA Phishing Attack", "sha256": "57236fd56cbb9d847b89d0f3dabc3067acac43e780f46d94437f5c0cbc3599fd", "type": "eql", - "version": 5 + "version": 4 }, "fbb10f1e-77cb-42f9-994e-5da17fc3fc15": { "min_stack_version": "9.4", @@ -13020,49 +12977,49 @@ "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", "sha256": "2a0c28333cbc2b59a754048dac4ba1ba85e1e32f9407e91291bbe69a9abbcf5d", "type": "machine_learning", - "version": 105 + "version": 104 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", "sha256": "992873866168b6dc2174c2626fb35218105596756c2e0301459d4c664ae9ea8d", "type": "query", - "version": 213 + "version": 212 }, "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { "rule_name": "Process Started with Executable Stack", "sha256": "fd1e26f5a72a073b0f04248104e8a153e66925a0edbac78669638790918671c2", "type": "query", - "version": 7 + "version": 6 }, "fc552f49-8f1c-409b-90f8-6f5b9869b6c4": { "rule_name": "Elastic Defend Alert Followed by Telemetry Loss", "sha256": "67f6095aaaf71d37cb9ae1e5b587093cea6fa579d3654a9353068eb9b0edef4d", "type": "eql", - "version": 4 + "version": 3 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "b9b40ca0af3b9ae7237ee58b9db28fdb68df1dc944e6582fc0cf91ee188b4e5d", "type": "eql", - "version": 316 + "version": 315 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "b75dda67fd9da77f1320ea7c94c736e499c45243b2d3a1f0775caeca732cf753", "type": "new_terms", - "version": 209 + "version": 208 }, "fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": { "rule_name": "Proxy Execution via Console Window Host", "sha256": "da23ef37ab245220584b0229ede378558147536d721124480c11f605078401a3", "type": "eql", - "version": 5 + "version": 4 }, "fcd2e4be-6ec4-482f-9222-6245367cd738": { "rule_name": "M365 Identity OAuth Flow by User Sign-in to Device Registration", "sha256": "61bd95935880280101cb47357cfba9fda77a633cad787f7e0f4983dcf66fccf7", "type": "eql", - "version": 5 + "version": 4 }, "fcf18de8-ad7d-4d01-b3f7-a11d5b3883af": { "rule_name": "Threat Intel Email Indicator Match", @@ -13074,25 +13031,25 @@ "rule_name": "User or Group Creation/Modification", "sha256": "2d62847cab8c33a052e502836ad121caf86f64b238197c9a1b2938d4e27c5f5e", "type": "eql", - "version": 9 + "version": 8 }, "fd00769d-b18d-450a-a844-7a9f9c71995e": { "rule_name": "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount", "sha256": "84051400b1ae5421cfb0710d08885fc6ccb194cced886576497e63909acfa9c9", "type": "query", - "version": 3 + "version": 2 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", "sha256": "eec1892d492dc25cab5480d300e33e9aac87bcbb4386d100cab35cb223d38ce6", "type": "eql", - "version": 210 + "version": 209 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", "sha256": "74a0ff1c1a288bfbe8134ef5390dc9c7a9081b9e769c155809243aa52e7bd168", "type": "new_terms", - "version": 10 + "version": 9 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -13104,49 +13061,49 @@ "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "ef85670df7af1d67434ee4a084dae6785d63ea6fad1da9fed5bfefceaed92178", "type": "eql", - "version": 320 + "version": 319 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Suspicious CertUtil Commands", "sha256": "33778ead57b302d2250b723cf23c47fec7f96b8dcff8dfd99fc8f806e4ed0484", "type": "eql", - "version": 319 + "version": 318 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", "sha256": "17b5ec1f17eb3bdc6ba867893df9d9201b1818c50d9896f84da7c3d4c94db588", "type": "new_terms", - "version": 429 + "version": 428 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", "sha256": "03745c7178dcf6374257634aeffef34bd5009ab9b52fbd8e2dd6d77b57ba1a47", "type": "eql", - "version": 5 + "version": 4 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", "sha256": "c20425759c10146a7e712fece38e597058b1970b880b8dc01d9683d931348140", "type": "eql", - "version": 19 + "version": 18 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "44814458fede28b8e96ffe4731862abd5077e5562e02d387ad816b812454f814", "type": "query", - "version": 114 + "version": 113 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "4f61d5a4d2aea076af8a4b48cd80ffa83a42e7c5bc8144c04f396ba5571cb1ac", "type": "query", - "version": 113 + "version": 112 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", "sha256": "49ad33faa96836050c4fe6962330a51b2947b18372a2c7614579d27da4012c4f", "type": "eql", - "version": 321 + "version": 320 }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { "min_stack_version": "9.4", @@ -13162,43 +13119,43 @@ "rule_name": "Spike in host-based traffic", "sha256": "907d81f3a0d242ae72cb95a3525f28b646be7b2537e8437b213254a0e2ac1660", "type": "machine_learning", - "version": 106 + "version": 105 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", "sha256": "889fbc6f1fe7867a60c30e0988ce0a1ecca3b10ed4d68247409e0bbb156e228a", "type": "eql", - "version": 12 + "version": 11 }, "feba48f6-40ca-4d04-b41f-5dfa327de865": { "rule_name": "Data Encrypted via OpenSSL Utility", "sha256": "6d5bc57ab69832dcf1fceb1113c15bd50ef32043aeac5c753aa45d8ef84fb133", "type": "eql", - "version": 3 + "version": 2 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", "sha256": "e5501cb17cf5fe1cb22ce9ae6e8396575c212a05d10b7f191f96bde4173277f8", "type": "eql", - "version": 6 + "version": 5 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "51805a54ccba7e11dd5249f3383c0faa260594148db400d814d4112d22e5b4ae", "type": "eql", - "version": 314 + "version": 313 }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", "sha256": "d2d8d9adc0b0a1e18a247c5c551721be0f8dae7e8136df787c2c7c7b44f86070", "type": "eql", - "version": 7 + "version": 6 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "b271213c5408f3105b6c293a194441c0a6ee0a8f56895b6c8b5d514a45f29206", "type": "query", - "version": 109 + "version": 108 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "min_stack_version": "9.4", @@ -13214,72 +13171,72 @@ "rule_name": "Potential DGA Activity", "sha256": "1892ab19dfbba7c5209d5416fac24916cec60b288ae4bbe9f0dfcad7fbb548ad", "type": "machine_learning", - "version": 110 + "version": 109 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", "sha256": "911f2754934b26787ef6ce346dd060a5ff237c442db717002c7f6c6d0678ec96", "type": "eql", - "version": 20 + "version": 19 }, "ff18d24b-2ba6-4691-a17f-75c4380d0965": { "rule_name": "Suspicious JavaScript Execution via Deno", "sha256": "102528b0ebeaf11552f09f3c90c9140833eba1c358f9aa8242bda4fd27742849", "type": "eql", - "version": 5 + "version": 4 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", "sha256": "b1c612a39634c76d3859749ffcf4a66830efa742e42ac76353710085e9a89c75", "type": "eql", - "version": 9 + "version": 8 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", "sha256": "e8c9c0b5687e154282e78e10cc4a216bb48980b43eb31f266ae4bdbb91e37781", "type": "esql", - "version": 20 + "version": 19 }, "ff46eb26-0684-4da3-9dd6-21032c9878e1": { "rule_name": "Active Directory Discovery using AdExplorer", "sha256": "e2bc14f1daa81650bb1547ff4439ba2e4f96fe3959eff2fe3d7e6aa1f47e84bd", "type": "eql", - "version": 4 + "version": 3 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "M365 Exchange Mail Flow Transport Rule Created", "sha256": "3af2c69e8e417302ef11f5cad05379d42ead8135a8bb69dbf6e400195e16d2e0", "type": "query", - "version": 214 + "version": 213 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "156d6c92921c8a78a426d13399acfc82335279f41bb1ca1b3b514f78e2d95be0", "type": "eql", - "version": 207 + "version": 206 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", "sha256": "2d21b1f06254849904bc0f96312aaddd5dbde583bae425bbb2b4e8cd08c5977c", "type": "query", - "version": 110 + "version": 109 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "fd78dc142d1cddc2c1b468082eba4a5caf404e211bf2b2fb770e0bb2218f5810", "type": "eql", - "version": 113 + "version": 112 }, "ffa676dc-09b0-11f0-94ba-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Top Level Domain", "sha256": "6fae13669a71fb69141b56f8ea1faa51ec5717011111ca52cae34917ddc408ce", "type": "new_terms", - "version": 4 + "version": 3 }, "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": { "rule_name": "Suspicious TCC Access Granted for User Folders", "sha256": "d7c925205ac4209a78c8c60e52b5ad975f5ca3a956f42e12337fa8dfa1035e98", "type": "esql", - "version": 4 + "version": 3 } } \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 9fcdff583ab..657a91e6d56 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.43" +version = "1.6.44" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/tests/test_integrations_version_performance.py b/tests/test_integrations_version_performance.py deleted file mode 100644 index f0691bce739..00000000000 --- a/tests/test_integrations_version_performance.py +++ /dev/null @@ -1,105 +0,0 @@ -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. - -"""Opt-in performance comparison for related integration version resolution.""" - -import os -import statistics -import timeit -import unittest -from collections import OrderedDict -from typing import Any - -from semver import Version - -from detection_rules.config import load_current_package_version -from detection_rules.integrations import find_compatible_version_range, load_integrations_manifests - - -def _benchmark_find_least_compatible_version( - package: str, - integration: str, - current_stack_version: str, - packages_manifest: dict[str, Any], -) -> str: - """Snapshot of pre-#5601 ``find_least_compatible_version`` for benchmarking only.""" - from detection_rules.integrations import _satisfies_kibana_range - - integration_manifests = dict(sorted(packages_manifest[package].items(), key=lambda x: Version.parse(x[0]))) - stack_version = Version.parse(current_stack_version, optional_minor_and_patch=True) - - major_versions = sorted( - {Version.parse(manifest_version).major for manifest_version in integration_manifests}, - reverse=True, - ) - for max_major in major_versions: - major_integration_manifests = { - k: v for k, v in integration_manifests.items() if Version.parse(k).major == max_major - } - - for version, manifest in OrderedDict( - sorted(major_integration_manifests.items(), key=lambda x: Version.parse(x[0])) - ).items(): - version_requirement = manifest["conditions"]["kibana"]["version"] - if _satisfies_kibana_range(stack_version, version_requirement): - return f"^{version}" - - raise ValueError(f"no compatible version for integration {package}:{integration}") - - -@unittest.skipUnless(os.environ.get("RUN_INTEGRATION_PERF"), "set RUN_INTEGRATION_PERF=1 to run") -class TestRelatedIntegrationsVersionPerformance(unittest.TestCase): - """Compare legacy stack-dependent lookup vs stack-invariant OR range.""" - - @classmethod - def setUpClass(cls): - cls.manifests = load_integrations_manifests() - cls.packages = ["endpoint", "aws", "windows"] - cls.stacks = ["8.19.0", "9.4.0", load_current_package_version()] - cls.repeat = 7 - cls.number = 500 - - @staticmethod - def _median_ms(timings: list[float]) -> float: - return statistics.median(timings) * 1000 - - def test_benchmark_old_vs_new(self): - """Print median timings for legacy vs OR-range resolution on real manifests.""" - rows: list[tuple[str, str, float, float, float]] = [] - - for package in self.packages: - if package not in self.manifests: - self.skipTest(f"{package} not in integration manifests") - - new_timings = timeit.repeat( - lambda: find_compatible_version_range(package, self.manifests), - repeat=self.repeat, - number=self.number, - ) - new_median = self._median_ms(new_timings) - - for stack in self.stacks: - old_timings = timeit.repeat( - lambda p=package, s=stack: _benchmark_find_least_compatible_version( - p, p, s, self.manifests - ), - repeat=self.repeat, - number=self.number, - ) - old_median = self._median_ms(old_timings) - ratio = new_median / old_median if old_median else float("inf") - rows.append((package, stack, old_median, new_median, ratio)) - - print("\nrelated_integrations version resolution (median ms per call)") - print(f"{'package':<12} {'stack':<10} {'old_ms':>10} {'new_ms':>10} {'new/old':>10}") - for package, stack, old_median, new_median, ratio in rows: - print(f"{package:<12} {stack:<10} {old_median:>10.4f} {new_median:>10.4f} {ratio:>10.2f}") - - for _package, _stack, old_median, new_median, ratio in rows: - if ratio > 10: - self.fail( - f"new implementation >10x slower than legacy for {_package} @ {_stack}: " - f"old={old_median:.4f}ms new={new_median:.4f}ms ratio={ratio:.2f}" - ) From 73c07800d839b528ad490bff2c21ddfa3821f1f3 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 28 May 2026 14:39:46 -0500 Subject: [PATCH 03/15] fix(integrations): satisfy ruff SIM110 in _major_has_compatible_stack --- detection_rules/integrations.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 4ce4524e3ba..487b774ed88 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -249,10 +249,7 @@ def _major_has_compatible_stack(major: int, version_requirement: str) -> bool: """Return True iff the Kibana range overlaps some stack in ``[major.0.0, (major+1).0.0)``.""" major_lo = Version(major, 0, 0) major_hi = Version(major + 1, 0, 0) - for lo, hi in _parse_kibana_range(version_requirement): - if lo < major_hi and (hi is None or hi > major_lo): - return True - return False + return any(lo < major_hi and (hi is None or hi > major_lo) for lo, hi in _parse_kibana_range(version_requirement)) def _stack_majors_supported_by_package(integration_manifests: dict[str, Any]) -> set[int]: From 07cd5a03536fac0912b07929aae5887107136ca2 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 28 May 2026 16:02:07 -0500 Subject: [PATCH 04/15] fix(integrations): address review feedback for stack-major resolution Iterate all majors overlapped by parsed Kibana bounds, derive legacy stack walk versions from manifest range floors instead of 8.19.0, remove a dead aligned-major branch, and drop RST-style double backticks in new docstrings. --- detection_rules/integrations.py | 49 +++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 15 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 487b774ed88..dc8c3272390 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -246,7 +246,7 @@ def _satisfies_kibana_range(stack: Version, version_requirement: str) -> bool: def _major_has_compatible_stack(major: int, version_requirement: str) -> bool: - """Return True iff the Kibana range overlaps some stack in ``[major.0.0, (major+1).0.0)``.""" + """Return True iff the Kibana range overlaps some stack in [major.0.0, (major+1).0.0).""" major_lo = Version(major, 0, 0) major_hi = Version(major + 1, 0, 0) return any(lo < major_hi and (hi is None or hi > major_lo) for lo, hi in _parse_kibana_range(version_requirement)) @@ -257,9 +257,11 @@ def _stack_majors_supported_by_package(integration_manifests: dict[str, Any]) -> stack_majors: set[int] = set() for manifest in integration_manifests.values(): version_requirement = manifest["conditions"]["kibana"]["version"] - for lo, _hi in _parse_kibana_range(version_requirement): - if _major_has_compatible_stack(lo.major, version_requirement): - stack_majors.add(lo.major) + for lo, hi in _parse_kibana_range(version_requirement): + end_major = lo.major + 1 if hi is None else max(hi.major, lo.major + 1) + for major in range(lo.major, end_major): + if _major_has_compatible_stack(major, version_requirement): + stack_majors.add(major) return stack_majors @@ -267,7 +269,7 @@ def _anchor_for_aligned_integration_major( major: int, integration_manifests: dict[str, Any], ) -> str | None: - """Oldest integration version in ``major`` whose Kibana range overlaps ``[major, major+1)``.""" + """Oldest integration version in major whose Kibana range overlaps [major, major+1).""" major_manifests = { version: manifest for version, manifest in integration_manifests.items() @@ -302,9 +304,28 @@ def _find_least_compatible_for_stack( return None -def _representative_stack_version(stack_major: int) -> Version: - """Representative stack version used to resolve unaligned integration majors.""" - return Version(stack_major, 19, 0) +def _stack_version_for_major(stack_major: int, integration_manifests: dict[str, Any]) -> Version: + """Pick a stack version within stack_major likely to satisfy manifest Kibana ranges.""" + major_lo = Version(stack_major, 0, 0) + major_hi = Version(stack_major + 1, 0, 0) + candidate = major_lo + + for manifest in integration_manifests.values(): + version_requirement = manifest["conditions"]["kibana"]["version"] + if not _major_has_compatible_stack(stack_major, version_requirement): + continue + for lo, hi in _parse_kibana_range(version_requirement): + if hi is not None and hi <= major_lo: + continue + if lo >= major_hi: + continue + in_major = lo if lo >= major_lo else major_lo + if _satisfies_kibana_range(in_major, version_requirement): + candidate = max(candidate, in_major) + elif _satisfies_kibana_range(major_lo, version_requirement): + candidate = max(candidate, major_lo) + + return candidate @dataclass(frozen=True) @@ -320,11 +341,11 @@ def find_compatible_version_range( package: str, packages_manifest: dict[str, Any], ) -> CompatibleVersionRange: - """Return a stack-invariant OR'd caret range for ``related_integrations.version``. + """Return a stack-invariant OR'd caret range for related_integrations.version. - Emits one ``^X.Y.Z`` anchor per stack line the integration package supports, plus a - forward-looking ``^(top_major + 1).0.0`` anchor. Integration majors aligned with Kibana - stack majors (e.g. endpoint 8.x / 9.x) use manifest overlap on ``[M, M+1)``; other + Emits one ^X.Y.Z anchor per stack line the integration package supports, plus a + forward-looking ^(top_major + 1).0.0 anchor. Integration majors aligned with Kibana + stack majors (e.g. endpoint 8.x / 9.x) use manifest overlap on [M, M+1); other packages resolve additional stack lines via the legacy stack walk. """ package_manifest = packages_manifest.get(package) @@ -356,11 +377,9 @@ def find_compatible_version_range( for stack_major in effective_stack_majors: if stack_major in aligned_by_major: anchor = aligned_by_major[stack_major] - elif stack_major in integration_majors: - anchor = _anchor_for_aligned_integration_major(stack_major, integration_manifests) else: anchor = _find_least_compatible_for_stack( - _representative_stack_version(stack_major), + _stack_version_for_major(stack_major, integration_manifests), integration_manifests, ) if anchor and anchor not in anchors: From 1d9fae1b8096878592967ca99a903353c555d481 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 29 May 2026 09:19:37 -0500 Subject: [PATCH 05/15] fix(integrations): tighten stack-major overlap and anchor resolution Walk every stack major whose band intersects a bounded Kibana clause (e.g. >=8.12.0 <9.1.0 includes major 9) and pick the earliest compatible stack point within a major for the legacy least-compatible walk. --- detection_rules/integrations.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index dc8c3272390..0e0804f2593 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -258,8 +258,15 @@ def _stack_majors_supported_by_package(integration_manifests: dict[str, Any]) -> for manifest in integration_manifests.values(): version_requirement = manifest["conditions"]["kibana"]["version"] for lo, hi in _parse_kibana_range(version_requirement): - end_major = lo.major + 1 if hi is None else max(hi.major, lo.major + 1) - for major in range(lo.major, end_major): + if hi is None: + majors_to_check = [lo.major] + else: + major = lo.major + majors_to_check = [] + while Version(major, 0, 0) < hi: + majors_to_check.append(major) + major += 1 + for major in majors_to_check: if _major_has_compatible_stack(major, version_requirement): stack_majors.add(major) return stack_majors @@ -305,10 +312,10 @@ def _find_least_compatible_for_stack( def _stack_version_for_major(stack_major: int, integration_manifests: dict[str, Any]) -> Version: - """Pick a stack version within stack_major likely to satisfy manifest Kibana ranges.""" + """Pick the earliest stack version within stack_major that satisfies manifest ranges.""" major_lo = Version(stack_major, 0, 0) major_hi = Version(stack_major + 1, 0, 0) - candidate = major_lo + candidates: list[Version] = [] for manifest in integration_manifests.values(): version_requirement = manifest["conditions"]["kibana"]["version"] @@ -321,11 +328,11 @@ def _stack_version_for_major(stack_major: int, integration_manifests: dict[str, continue in_major = lo if lo >= major_lo else major_lo if _satisfies_kibana_range(in_major, version_requirement): - candidate = max(candidate, in_major) + candidates.append(in_major) elif _satisfies_kibana_range(major_lo, version_requirement): - candidate = max(candidate, major_lo) + candidates.append(major_lo) - return candidate + return min(candidates) if candidates else major_lo @dataclass(frozen=True) From 2302006f0f0c8cc23030c32db4b16a730c64862a Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 29 May 2026 09:23:36 -0500 Subject: [PATCH 06/15] fix(integrations): annotate majors_to_check for pyright --- detection_rules/integrations.py | 1 + 1 file changed, 1 insertion(+) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 0e0804f2593..2b751678ea5 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -258,6 +258,7 @@ def _stack_majors_supported_by_package(integration_manifests: dict[str, Any]) -> for manifest in integration_manifests.values(): version_requirement = manifest["conditions"]["kibana"]["version"] for lo, hi in _parse_kibana_range(version_requirement): + majors_to_check: list[int] if hi is None: majors_to_check = [lo.major] else: From eef18f2c6e3b92e9ec99609a31f6ad0c3946c2b2 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 4 Jun 2026 13:49:17 -0500 Subject: [PATCH 07/15] style(rule): apply ruff format for CI code-checks Fix formatting on integration_name assignment that failed ruff format --check. --- detection_rules/rule.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 336b3e694e8..103d6b7a7c8 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1446,9 +1446,7 @@ def _convert_add_related_integrations(self, obj: dict[str, Any]) -> None: for package in package_integrations: integration = package.get("integration") - integration_name = ( - integration if integration and integration != "Unknown" else None - ) + integration_name = integration if integration and integration != "Unknown" else None result = find_compatible_version_range( package=package["package"], packages_manifest=packages_manifest, From 6ae62b17daf68f45ac9302d884ed1b954d8eaff4 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 4 Jun 2026 14:52:32 -0500 Subject: [PATCH 08/15] fix(integrations): address PR review on version range export Walk all stack majors for non-aligned packages, handle unbounded Kibana ranges, restore schema comments, use immutable anchor tuples, and add UNKNOWN_PACKAGE_INTEGRATION constant with regression tests. --- detection_rules/integrations.py | 105 +++++++++++++++++++++++--------- detection_rules/rule.py | 9 ++- tests/test_integrations.py | 52 +++++++++++++--- 3 files changed, 126 insertions(+), 40 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 47173a25c90..31c44cc68fb 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -246,18 +246,17 @@ def _satisfies_kibana_range(stack: Version, version_requirement: str) -> bool: def find_latest_integration_patch_for_minor(packages: Iterable[str], major: int, minor: int) -> int: - """Find the latest stack patch the given integration packages need for a major.minor.""" - # The stack-schema-map keys stacks at MAJOR.MINOR.0, but an integration may gate its latest - # package (and newly-added data streams) behind a later patch (e.g. azure ~8.19.10). Resolving - # against the literal .0 falls back to an older package that predates the stream. Return the - # latest patch a package gates on for the minor, i.e. the stack patch needed to receive the most - # up-to-date integration package on that minor. + """Find the latest stack patch integration packages need for a major.minor.""" + # stack-schema-map keys stacks at MAJOR.MINOR.0, but an integration may gate its latest + # package (and newly-added data streams) behind a later patch (e.g. azure ~8.19.10). + # Resolving against the literal .0 falls back to an older package that predates the + # stream. Return the latest patch a package gates on for the minor. # - # Track the *newest* package version's floor (not the max floor across all versions): Fleet always - # installs the latest compatible package, so that floor is the patch a stack actually needs. A - # newer package occasionally lowers its floor (e.g. apm 7.16.1 gates ^7.16.1 but the newer 7.16.2 - # gates ^7.16.0); honoring the newest version matches what Fleet installs rather than an older, - # higher floor that would never be installed on that stack. + # Track the *newest* package version's floor (not the max floor across all versions): + # Fleet always installs the latest compatible package, so that floor is the patch a + # stack actually needs. A newer package occasionally lowers its floor (e.g. apm 7.16.1 + # gates ^7.16.1 but the newer 7.16.2 gates ^7.16.0); honoring the newest version + # matches what Fleet installs rather than an older, higher floor. manifests = load_integrations_manifests() latest_patch = 0 for package in packages: @@ -283,6 +282,14 @@ def find_latest_integration_patch_for_minor(packages: Iterable[str], major: int, return latest_patch +# Sentinel written by ``parse_datasets`` when a rule indexes a package but not a data stream. +UNKNOWN_PACKAGE_INTEGRATION = "Unknown" + +# Cap stack majors collected from an unbounded Kibana clause (``>=X.Y.Z``). EPR caret/tilde +# ranges are always bounded today; this only applies if EPR ever emits an open-ended requirement. +_MAX_UNBOUNDED_STACK_MAJOR_SPAN = 10 + + def _major_has_compatible_stack(major: int, version_requirement: str) -> bool: """Return True iff the Kibana range overlaps some stack in [major.0.0, (major+1).0.0).""" major_lo = Version(major, 0, 0) @@ -301,22 +308,38 @@ def _package_version_has_integration( return integration in package_schemas[version] +def _majors_overlapping_kibana_clause( + lo: Version, + hi: Version | None, + version_requirement: str, +) -> list[int]: + """Return stack majors whose [M.0.0, (M+1).0.0) band intersects the parsed clause bounds.""" + if hi is not None: + majors_to_check: list[int] = [] + major = lo.major + while Version(major, 0, 0) < hi: + majors_to_check.append(major) + major += 1 + return majors_to_check + + # Unbounded upper (``>=``, ``>``): walk forward while the major still overlaps. + majors_to_check: list[int] = [] + major = lo.major + while major <= lo.major + _MAX_UNBOUNDED_STACK_MAJOR_SPAN and _major_has_compatible_stack( + major, version_requirement + ): + majors_to_check.append(major) + major += 1 + return majors_to_check + + def _stack_majors_supported_by_package(integration_manifests: dict[str, Any]) -> set[int]: """Collect Kibana stack majors that any manifest in the package can serve.""" stack_majors: set[int] = set() for manifest in integration_manifests.values(): version_requirement = manifest["conditions"]["kibana"]["version"] for lo, hi in _parse_kibana_range(version_requirement): - majors_to_check: list[int] - if hi is None: - majors_to_check = [lo.major] - else: - major = lo.major - majors_to_check = [] - while Version(major, 0, 0) < hi: - majors_to_check.append(major) - major += 1 - for major in majors_to_check: + for major in _majors_overlapping_kibana_clause(lo, hi, version_requirement): if _major_has_compatible_stack(major, version_requirement): stack_majors.add(major) return stack_majors @@ -408,7 +431,7 @@ class CompatibleVersionRange: """Stack-invariant related integration compatibility range.""" range: str - anchors: list[str] + anchors: tuple[str, ...] forward_anchor: str @@ -417,8 +440,12 @@ def _build_compatible_version_range(anchors: list[str]) -> CompatibleVersionRang if not anchors: raise ValueError("anchors must not be empty") - sorted_anchors = sorted(set(anchors), key=Version.parse) + sorted_anchors = tuple(sorted(set(anchors), key=Version.parse)) top_major = max(Version.parse(anchor).major for anchor in sorted_anchors) + # Forward sentinel: no manifest entry exists yet for (top_major + 1). Kibana accepts + # the caret and it prevents immediate incompatibility when a new package major ships + # before the next manifest refresh. Trade-off: breaking changes in that major would + # not surface until manifests/schemas update. forward_anchor = f"{top_major + 1}.0.0" range_parts = [f"^{anchor}" for anchor in sorted_anchors] + [f"^{forward_anchor}"] return CompatibleVersionRange( @@ -462,10 +489,11 @@ def apply_schema_version_floor( if not any(Version.parse(anchor).major == floor_major for anchor in bumped_anchors): bumped_anchors.append(schema_floor) - if bumped_anchors == result.anchors: + bumped_tuple = tuple(sorted(set(bumped_anchors), key=Version.parse)) + if bumped_tuple == result.anchors: return result - return _build_compatible_version_range(bumped_anchors) + return _build_compatible_version_range(list(bumped_tuple)) def _collect_compatible_anchors( @@ -474,7 +502,14 @@ def _collect_compatible_anchors( integration: str | None, package_schemas: dict[str, Any], ) -> list[str]: - """Collect manifest anchors for each supported stack major.""" + """Collect manifest anchors for each supported stack major. + + For each supported Kibana stack major, resolve the oldest integration package + version compatible with that line (schema-aware when ``integration`` is set). + When integration package majors align with stack majors (endpoint 8.x on Kibana + 8.x), use the aligned anchor directly; otherwise fall back to the legacy + least-compatible walk at the earliest stack point in that major. + """ integration_majors = {Version.parse(version).major for version in integration_manifests} aligned_by_major = { major: anchor @@ -494,9 +529,9 @@ def _collect_compatible_anchors( if aligned_min_major is not None: effective_stack_majors = sorted(stack_major for stack_major in stack_majors if stack_major >= aligned_min_major) else: - effective_stack_majors = sorted( - stack_major for stack_major in stack_majors if stack_major >= max(stack_majors) - 1 - ) + # Non-aligned packages (integration major != stack major): walk every supported + # stack line so we never drop an older backport anchor (#5601). + effective_stack_majors = sorted(stack_majors) anchors: list[str] = [] for stack_major in effective_stack_majors: @@ -534,6 +569,16 @@ def find_compatible_version_range( integration: str | None = None, ) -> CompatibleVersionRange: """Return a stack-invariant OR'd caret range for related_integrations.version.""" + # Resolve anchors from EPR manifests alone (no build-time stack version), OR the + # carets together, and append a forward sentinel for the next integration major. + # + # When integration is set, the manifest kibana condition only tells us whether the + # *package* installs on a stack, not whether a particular data stream exists yet + # (e.g. azure added aadgraphactivitylogs in 1.37.0 while 1.0.0 already installs + # on 8.19). integration-schemas.json.gz records streams per package version; skip + # versions that predate the stream when schema data exists, otherwise fall back to + # kibana compatibility alone (e.g. synthetic manifests in tests). Schemas are loaded + # lazily only when integration is set. package_manifest = packages_manifest.get(package) if package_manifest is None: raise ValueError(f"Package {package} not found in manifest.") @@ -779,7 +824,7 @@ def parse_datasets(datasets: list[str], package_manifest: dict[str, Any]) -> lis # cleanup extra quotes pulled from ast field value = _value.strip('"') - integration = "Unknown" + integration = UNKNOWN_PACKAGE_INTEGRATION if "." in value: package, integration = value.split(".", 1) # Handle cases where endpoint event datasource needs to be parsed uniquely (e.g endpoint.events.network) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 103d6b7a7c8..594c039705f 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -32,6 +32,7 @@ from .esql import get_esql_query_event_dataset_integrations from .esql_errors import EsqlSemanticError from .integrations import ( + UNKNOWN_PACKAGE_INTEGRATION, find_compatible_version_range, get_integration_schema_fields, load_integrations_manifests, @@ -1446,7 +1447,9 @@ def _convert_add_related_integrations(self, obj: dict[str, Any]) -> None: for package in package_integrations: integration = package.get("integration") - integration_name = integration if integration and integration != "Unknown" else None + integration_name = ( + integration if integration and integration != UNKNOWN_PACKAGE_INTEGRATION else None + ) result = find_compatible_version_range( package=package["package"], packages_manifest=packages_manifest, @@ -1454,6 +1457,8 @@ def _convert_add_related_integrations(self, obj: dict[str, Any]) -> None: ) package["version"] = result.range + # Union policy templates across manifest-backed anchors only. + # forward_anchor has no manifest entry and is excluded by design. policy_templates: set[str] = set() for anchor in result.anchors: version_data = packages_manifest.get(package["package"], {}).get(anchor, {}) @@ -1896,7 +1901,7 @@ def parse_datasets(datasets: list[str], package_manifest: dict[str, Any]) -> lis # cleanup extra quotes pulled from ast field value = _value.strip('"') - integration = "Unknown" + integration = UNKNOWN_PACKAGE_INTEGRATION if "." in value: package, integration = value.split(".", 1) # Handle cases where endpoint event datasource needs to be parsed uniquely (e.g endpoint.events.network) diff --git a/tests/test_integrations.py b/tests/test_integrations.py index b2cb5df46a6..ff012bb0a6f 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -11,9 +11,11 @@ from semver import Version from detection_rules.integrations import ( + _majors_overlapping_kibana_clause, _parse_clause, _parse_kibana_range, _satisfies_kibana_range, + _stack_majors_supported_by_package, find_compatible_version_range, find_latest_compatible_version, ) @@ -231,7 +233,7 @@ def test_emits_or_range_across_majors(self): } result = find_compatible_version_range("pkg", manifests) self.assertEqual(result.range, "^1.0.0 || ^2.0.0 || ^3.0.0") - self.assertEqual(result.anchors, ["1.0.0", "2.0.0"]) + self.assertEqual(result.anchors, ("1.0.0", "2.0.0")) self.assertEqual(result.forward_anchor, "3.0.0") def test_stack_invariance(self): @@ -251,7 +253,7 @@ def test_single_major_appends_forward_anchor(self): manifests = {"pkg": {"9.0.0": _manifest("^9.0.0")}} result = find_compatible_version_range("pkg", manifests) self.assertEqual(result.range, "^9.0.0 || ^10.0.0") - self.assertEqual(result.anchors, ["9.0.0"]) + self.assertEqual(result.anchors, ("9.0.0",)) self.assertEqual(result.forward_anchor, "10.0.0") def test_three_majors_endpoint_shape(self): @@ -265,7 +267,7 @@ def test_three_majors_endpoint_shape(self): } result = find_compatible_version_range("endpoint", manifests) self.assertEqual(result.range, "^7.17.0 || ^8.2.0 || ^9.0.0 || ^10.0.0") - self.assertEqual(result.anchors, ["7.17.0", "8.2.0", "9.0.0"]) + self.assertEqual(result.anchors, ("7.17.0", "8.2.0", "9.0.0")) self.assertEqual(result.forward_anchor, "10.0.0") def test_skips_majors_with_no_overlap(self): @@ -278,7 +280,7 @@ def test_skips_majors_with_no_overlap(self): } result = find_compatible_version_range("pkg", manifests) self.assertEqual(result.range, "^7.10.0 || ^9.4.0 || ^10.0.0") - self.assertEqual(result.anchors, ["7.10.0", "9.4.0"]) + self.assertEqual(result.anchors, ("7.10.0", "9.4.0")) def test_raises_when_no_compatible_major(self): """When no stack line can be resolved, raise.""" @@ -299,9 +301,39 @@ def test_returns_anchor_list_for_policy_template_lookup(self): } } result = find_compatible_version_range("pkg", manifests) - self.assertEqual(result.anchors, ["1.0.0", "2.0.0"]) + self.assertEqual(result.anchors, ("1.0.0", "2.0.0")) self.assertEqual(result.forward_anchor, "3.0.0") + def test_unbounded_kibana_range_collects_multiple_stack_majors(self): + """``>=8.12.0`` (unbounded upper) must collect every overlapping stack major.""" + manifests = {"pkg": {"1.0.0": _manifest(">=8.12.0")}} + stack_majors = _stack_majors_supported_by_package(manifests["pkg"]) + self.assertEqual(stack_majors, {8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18}) + + def test_bounded_kibana_range_includes_upper_major(self): + """``>=8.12.0 <9.1.0`` overlaps stack major 9 (9.0.x) and must include it.""" + majors = _majors_overlapping_kibana_clause( + Version(8, 12, 0), + Version(9, 1, 0), + ">=8.12.0 <9.1.0", + ) + self.assertIn(8, majors) + self.assertIn(9, majors) + self.assertNotIn(10, majors) + + def test_non_aligned_package_covers_all_stack_majors(self): + """Non-aligned integration majors emit one anchor per supported stack line.""" + manifests = { + "pkg": { + "1.0.0": _manifest("^8.12.0"), + "1.1.0": _manifest("^9.0.0"), + "1.2.0": _manifest("^10.0.0"), + } + } + result = find_compatible_version_range("pkg", manifests) + self.assertEqual(result.anchors, ("1.0.0", "1.1.0", "1.2.0")) + self.assertEqual(result.range, "^1.0.0 || ^1.1.0 || ^1.2.0 || ^2.0.0") + class TestFindCompatibleVersionRangeSchemaAware(unittest.TestCase): """Schema-aware data stream filtering ported from #6251 into OR-range export.""" @@ -329,14 +361,14 @@ def test_skips_versions_missing_integration(self): self.assertNotIn("1.5.0", new_ds.anchors) existing_ds = find_compatible_version_range("pkg", manifests, integration="existing_ds") - self.assertEqual(existing_ds.anchors, ["1.0.0"]) + self.assertEqual(existing_ds.anchors, ("1.0.0",)) def test_no_schema_data_falls_back_to_kibana_only(self): """Versions without schema data are not filtered; kibana compatibility alone decides.""" manifests = {"pkg": {"1.0.0": _manifest("^8.12.0"), "1.5.0": _manifest("^8.12.0")}} with unittest.mock.patch("detection_rules.integrations.load_integrations_schemas", return_value={}): result = find_compatible_version_range("pkg", manifests, integration="new_ds") - self.assertEqual(result.anchors, ["1.0.0"]) + self.assertEqual(result.anchors, ("1.0.0",)) def test_all_compatible_versions_missing_integration_raises(self): """Raise when every kibana-compatible version's schema lacks the requested integration.""" @@ -349,7 +381,11 @@ def test_all_compatible_versions_missing_integration_raises(self): find_compatible_version_range("pkg", manifests, integration="new_ds") def test_azure_aadgraphactivitylogs_schema_floor(self): - """aadgraphactivitylogs first appears in azure 1.37.0 and bumps RI anchors.""" + """aadgraphactivitylogs first appears in azure 1.37.0 and bumps RI anchors. + + Pinned to the committed integration-schemas.json.gz; update if the stream + introduction version shifts. + """ from detection_rules.integrations import load_integrations_manifests, load_integrations_schemas schemas = load_integrations_schemas() From adc4f1018b7cfd02b88ff538609ecbd7703b6cff Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 4 Jun 2026 15:09:28 -0500 Subject: [PATCH 09/15] fix(integrations): anchor RI export to shipped stack backports only Prebuilt rules ship to the stack lines in stack-schema-map, not every Kibana major a manifest ever claimed. Filter against get_stack_versions() so dead lines like Kibana 7.x do not pull azure 0.0.2 into related_integrations. --- detection_rules/integrations.py | 10 ++++- tests/test_integrations.py | 80 +++++++++++++++++++++++++-------- 2 files changed, 70 insertions(+), 20 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 31c44cc68fb..82565fdd76f 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -23,7 +23,7 @@ from . import ecs from .beats import flatten_ecs_schema from .config import load_current_package_version -from .schemas import definitions +from .schemas import definitions, get_stack_versions from .utils import cached, get_etc_path, read_gzip, unzip if TYPE_CHECKING: @@ -455,6 +455,11 @@ def _build_compatible_version_range(anchors: list[str]) -> CompatibleVersionRang ) +def _shipped_stack_majors() -> set[int]: + """Stack majors we ship prebuilt rules to (from the stack-schema-map backport lines).""" + return {Version.parse(version).major for version in get_stack_versions()} + + def minimum_schema_package_version( package: str, integration: str, @@ -588,7 +593,8 @@ def find_compatible_version_range( package_schemas = load_integrations_schemas().get(package, {}) integration_manifests = dict(sorted(package_manifest.items(), key=lambda x: Version.parse(x[0]))) - stack_majors = _stack_majors_supported_by_package(integration_manifests) + # Only walk stack majors we ship prebuilt rules to (stack-schema-map backport lines). + stack_majors = _stack_majors_supported_by_package(integration_manifests) & _shipped_stack_majors() if not stack_majors: raise ValueError(f"no compatible version for integration package {package}") diff --git a/tests/test_integrations.py b/tests/test_integrations.py index ff012bb0a6f..919ea839e40 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -222,13 +222,13 @@ class TestFindCompatibleVersionRange(unittest.TestCase): """Behavior coverage for ``find_compatible_version_range``.""" def test_emits_or_range_across_majors(self): - """Emits oldest anchor per major plus a forward-looking next-major anchor.""" + """Emits oldest anchor per shipped stack major plus a forward-looking next-major anchor.""" manifests = { "pkg": { - "1.0.0": _manifest("^1.0.0"), - "1.5.0": _manifest("^1.5.0"), - "2.0.0": _manifest("^2.0.0"), - "2.5.0": _manifest("^2.1.0"), + "1.0.0": _manifest("^8.0.0"), + "1.5.0": _manifest("^8.0.0"), + "2.0.0": _manifest("^9.0.0"), + "2.5.0": _manifest("^9.1.0"), } } result = find_compatible_version_range("pkg", manifests) @@ -240,8 +240,8 @@ def test_stack_invariance(self): """Range result does not depend on build stack version.""" manifests = { "pkg": { - "1.0.0": _manifest("^1.0.0"), - "2.0.0": _manifest("^2.0.0"), + "1.0.0": _manifest("^8.0.0"), + "2.0.0": _manifest("^9.0.0"), } } first = find_compatible_version_range("pkg", manifests) @@ -257,7 +257,7 @@ def test_single_major_appends_forward_anchor(self): self.assertEqual(result.forward_anchor, "10.0.0") def test_three_majors_endpoint_shape(self): - """Synthetic endpoint-like majors mirror the #5601 reproducer shape.""" + """Synthetic endpoint-like majors on shipped stack lines (8.x and 9.x).""" manifests = { "endpoint": { "7.17.0": _manifest("^7.17.0"), @@ -266,8 +266,8 @@ def test_three_majors_endpoint_shape(self): } } result = find_compatible_version_range("endpoint", manifests) - self.assertEqual(result.range, "^7.17.0 || ^8.2.0 || ^9.0.0 || ^10.0.0") - self.assertEqual(result.anchors, ("7.17.0", "8.2.0", "9.0.0")) + self.assertEqual(result.range, "^8.2.0 || ^9.0.0 || ^10.0.0") + self.assertEqual(result.anchors, ("8.2.0", "9.0.0")) self.assertEqual(result.forward_anchor, "10.0.0") def test_skips_majors_with_no_overlap(self): @@ -279,8 +279,8 @@ def test_skips_majors_with_no_overlap(self): } } result = find_compatible_version_range("pkg", manifests) - self.assertEqual(result.range, "^7.10.0 || ^9.4.0 || ^10.0.0") - self.assertEqual(result.anchors, ("7.10.0", "9.4.0")) + self.assertEqual(result.range, "^9.4.0 || ^10.0.0") + self.assertEqual(result.anchors, ("9.4.0",)) def test_raises_when_no_compatible_major(self): """When no stack line can be resolved, raise.""" @@ -296,8 +296,8 @@ def test_returns_anchor_list_for_policy_template_lookup(self): """Anchors and forward anchor are exposed for policy template union.""" manifests = { "pkg": { - "1.0.0": _manifest("^1.0.0"), - "2.0.0": _manifest("^2.0.0"), + "1.0.0": _manifest("^8.0.0"), + "2.0.0": _manifest("^9.0.0"), } } result = find_compatible_version_range("pkg", manifests) @@ -321,8 +321,8 @@ def test_bounded_kibana_range_includes_upper_major(self): self.assertIn(9, majors) self.assertNotIn(10, majors) - def test_non_aligned_package_covers_all_stack_majors(self): - """Non-aligned integration majors emit one anchor per supported stack line.""" + def test_non_aligned_package_covers_shipped_stack_majors(self): + """Non-aligned packages emit one anchor per shipped backport stack major.""" manifests = { "pkg": { "1.0.0": _manifest("^8.12.0"), @@ -331,8 +331,29 @@ def test_non_aligned_package_covers_all_stack_majors(self): } } result = find_compatible_version_range("pkg", manifests) - self.assertEqual(result.anchors, ("1.0.0", "1.1.0", "1.2.0")) - self.assertEqual(result.range, "^1.0.0 || ^1.1.0 || ^1.2.0 || ^2.0.0") + # Stack 10 is not a shipped backport line; only 8.x and 9.x majors from stack-schema-map. + self.assertEqual(result.anchors, ("1.0.0", "1.1.0")) + self.assertEqual(result.range, "^1.0.0 || ^1.1.0 || ^2.0.0") + + def test_excludes_unshipped_stack_majors(self): + """Manifest stack lines outside shipped backports (e.g. Kibana 7.x) are not walked.""" + manifests = { + "pkg": { + "0.0.2": _manifest("^7.9.0"), + "1.0.0": _manifest("^8.0.0"), + "1.22.0": _manifest("^9.0.0"), + } + } + result = find_compatible_version_range("pkg", manifests) + self.assertEqual(result.anchors, ("1.0.0", "1.22.0")) + self.assertNotIn("0.0.2", result.anchors) + self.assertEqual(result.range, "^1.0.0 || ^1.22.0 || ^2.0.0") + + def test_keeps_zero_major_when_only_stable_option_missing(self): + """Keep 0.x anchors when no major >= 1 anchor exists.""" + manifests = {"pkg": {"0.5.0": _manifest("^8.0.0")}} + result = find_compatible_version_range("pkg", manifests) + self.assertEqual(result.anchors, ("0.5.0",)) class TestFindCompatibleVersionRangeSchemaAware(unittest.TestCase): @@ -380,6 +401,27 @@ def test_all_compatible_versions_missing_integration_raises(self): ): find_compatible_version_range("pkg", manifests, integration="new_ds") + def test_schema_floor_excludes_legacy_zero_major(self): + """Schema-floor fallback must not retain 0.x anchors from the package baseline.""" + manifests = { + "pkg": { + "0.0.2": _manifest("^7.9.0"), + "1.0.0": _manifest("^8.0.0"), + "1.37.0": _manifest("^9.0.0"), + } + } + schemas = { + "pkg": { + "0.0.2": {"other_ds": {}}, + "1.0.0": {"other_ds": {}}, + "1.37.0": {"aadgraphactivitylogs": {}}, + } + } + with unittest.mock.patch("detection_rules.integrations.load_integrations_schemas", return_value=schemas): + result = find_compatible_version_range("pkg", manifests, integration="aadgraphactivitylogs") + self.assertEqual(result.anchors, ("1.37.0",)) + self.assertEqual(result.range, "^1.37.0 || ^2.0.0") + def test_azure_aadgraphactivitylogs_schema_floor(self): """aadgraphactivitylogs first appears in azure 1.37.0 and bumps RI anchors. @@ -393,7 +435,9 @@ def test_azure_aadgraphactivitylogs_schema_floor(self): result = find_compatible_version_range("azure", manifests, integration="aadgraphactivitylogs") self.assertIn("1.37.0", result.anchors) self.assertNotIn("1.0.0", result.anchors) + self.assertNotIn("0.0.2", result.anchors) self.assertIn("^1.37.0", result.range) + self.assertEqual(result.range, "^1.37.0 || ^2.0.0") floor_versions = [ version for version in sorted(schemas["azure"], key=Version.parse) From 655cffc43af1b9c71385a6175c43c3f14147c9ae Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 4 Jun 2026 15:48:35 -0500 Subject: [PATCH 10/15] refactor(integrations): simplify version range export helpers Remove aligned-major fast path, redundant overlap checks, and dead branches from the #5601 OR-range export. Cache shipped stack majors, derive unbounded-range test expectations from _MAX_UNBOUNDED_STACK_MAJOR_SPAN, and inline schema-floor fallback at its single call site. --- detection_rules/integrations.py | 122 ++++++-------------------------- tests/test_integrations.py | 5 +- 2 files changed, 25 insertions(+), 102 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 82565fdd76f..466422b9729 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -287,6 +287,8 @@ def find_latest_integration_patch_for_minor(packages: Iterable[str], major: int, # Cap stack majors collected from an unbounded Kibana clause (``>=X.Y.Z``). EPR caret/tilde # ranges are always bounded today; this only applies if EPR ever emits an open-ended requirement. +# The exact value is not critical: ``find_compatible_version_range`` intersects with +# ``_shipped_stack_majors()`` so only backport lines we ship rules to are kept. _MAX_UNBOUNDED_STACK_MAJOR_SPAN = 10 @@ -340,37 +342,10 @@ def _stack_majors_supported_by_package(integration_manifests: dict[str, Any]) -> version_requirement = manifest["conditions"]["kibana"]["version"] for lo, hi in _parse_kibana_range(version_requirement): for major in _majors_overlapping_kibana_clause(lo, hi, version_requirement): - if _major_has_compatible_stack(major, version_requirement): - stack_majors.add(major) + stack_majors.add(major) return stack_majors -def _anchor_for_aligned_integration_major( - major: int, - integration_manifests: dict[str, Any], - integration: str | None = None, - package_schemas: dict[str, Any] | None = None, -) -> str | None: - """Oldest integration version in major whose Kibana range overlaps [major, major+1).""" - major_manifests = { - version: manifest - for version, manifest in integration_manifests.items() - if Version.parse(version).major == major - } - for version, manifest in sorted(major_manifests.items(), key=lambda x: Version.parse(x[0])): - version_requirement = manifest["conditions"]["kibana"]["version"] - if not _major_has_compatible_stack(major, version_requirement): - continue - if ( - integration - and package_schemas is not None - and not _package_version_has_integration(version, integration, package_schemas) - ): - continue - return version - return None - - def _find_least_compatible_for_stack( stack_version: Version, integration_manifests: dict[str, Any], @@ -403,25 +378,18 @@ def _find_least_compatible_for_stack( def _stack_version_for_major(stack_major: int, integration_manifests: dict[str, Any]) -> Version: - """Pick the earliest stack version within stack_major that satisfies manifest ranges.""" + """Earliest stack version in stack_major that satisfies any manifest range.""" major_lo = Version(stack_major, 0, 0) major_hi = Version(stack_major + 1, 0, 0) candidates: list[Version] = [] for manifest in integration_manifests.values(): - version_requirement = manifest["conditions"]["kibana"]["version"] - if not _major_has_compatible_stack(stack_major, version_requirement): - continue - for lo, hi in _parse_kibana_range(version_requirement): + for lo, hi in _parse_kibana_range(manifest["conditions"]["kibana"]["version"]): if hi is not None and hi <= major_lo: continue if lo >= major_hi: continue - in_major = lo if lo >= major_lo else major_lo - if _satisfies_kibana_range(in_major, version_requirement): - candidates.append(in_major) - elif _satisfies_kibana_range(major_lo, version_requirement): - candidates.append(major_lo) + candidates.append(max(lo, major_lo)) return min(candidates) if candidates else major_lo @@ -455,6 +423,7 @@ def _build_compatible_version_range(anchors: list[str]) -> CompatibleVersionRang ) +@cached def _shipped_stack_majors() -> set[int]: """Stack majors we ship prebuilt rules to (from the stack-schema-map backport lines).""" return {Version.parse(version).major for version in get_stack_versions()} @@ -494,7 +463,7 @@ def apply_schema_version_floor( if not any(Version.parse(anchor).major == floor_major for anchor in bumped_anchors): bumped_anchors.append(schema_floor) - bumped_tuple = tuple(sorted(set(bumped_anchors), key=Version.parse)) + bumped_tuple = tuple(sorted(bumped_anchors, key=Version.parse)) if bumped_tuple == result.anchors: return result @@ -507,67 +476,20 @@ def _collect_compatible_anchors( integration: str | None, package_schemas: dict[str, Any], ) -> list[str]: - """Collect manifest anchors for each supported stack major. - - For each supported Kibana stack major, resolve the oldest integration package - version compatible with that line (schema-aware when ``integration`` is set). - When integration package majors align with stack majors (endpoint 8.x on Kibana - 8.x), use the aligned anchor directly; otherwise fall back to the legacy - least-compatible walk at the earliest stack point in that major. - """ - integration_majors = {Version.parse(version).major for version in integration_manifests} - aligned_by_major = { - major: anchor - for major in sorted(integration_majors) - if ( - anchor := _anchor_for_aligned_integration_major( - major, - integration_manifests, - integration, - package_schemas, - ) - ) - is not None - } - aligned_min_major = min(aligned_by_major) if aligned_by_major else None - - if aligned_min_major is not None: - effective_stack_majors = sorted(stack_major for stack_major in stack_majors if stack_major >= aligned_min_major) - else: - # Non-aligned packages (integration major != stack major): walk every supported - # stack line so we never drop an older backport anchor (#5601). - effective_stack_majors = sorted(stack_majors) - + """Oldest compatible integration version per shipped stack major.""" anchors: list[str] = [] - for stack_major in effective_stack_majors: - if stack_major in aligned_by_major: - anchor = aligned_by_major[stack_major] - else: - anchor = _find_least_compatible_for_stack( - _stack_version_for_major(stack_major, integration_manifests), - integration_manifests, - integration, - package_schemas, - ) + for stack_major in sorted(stack_majors): + anchor = _find_least_compatible_for_stack( + _stack_version_for_major(stack_major, integration_manifests), + integration_manifests, + integration, + package_schemas, + ) if anchor and anchor not in anchors: anchors.append(anchor) return anchors -def _schema_floor_compatible_range( - package: str, - packages_manifest: dict[str, Any], - integration: str, - package_schemas: dict[str, Any], -) -> CompatibleVersionRange | None: - """Build a range from the package baseline when only schema data defines the floor.""" - schema_floor = minimum_schema_package_version(package, integration, {package: package_schemas}) - if not schema_floor: - return None - baseline = find_compatible_version_range(package, packages_manifest) - return apply_schema_version_floor(baseline, schema_floor) - - def find_compatible_version_range( package: str, packages_manifest: dict[str, Any], @@ -602,13 +524,11 @@ def find_compatible_version_range( anchors = _collect_compatible_anchors(integration_manifests, stack_majors, integration, package_schemas) if not anchors: - schema_range = ( - _schema_floor_compatible_range(package, packages_manifest, integration, package_schemas) - if integration and package_schemas - else None - ) - if schema_range: - return schema_range + if integration and package_schemas: + schema_floor = minimum_schema_package_version(package, integration, {package: package_schemas}) + if schema_floor: + baseline = find_compatible_version_range(package, packages_manifest) + return apply_schema_version_floor(baseline, schema_floor) package_label = f"{package}:{integration}" if integration else package raise ValueError(f"no compatible version for integration {package_label}") diff --git a/tests/test_integrations.py b/tests/test_integrations.py index 919ea839e40..5bb9bb94853 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -11,6 +11,7 @@ from semver import Version from detection_rules.integrations import ( + _MAX_UNBOUNDED_STACK_MAJOR_SPAN, _majors_overlapping_kibana_clause, _parse_clause, _parse_kibana_range, @@ -308,7 +309,9 @@ def test_unbounded_kibana_range_collects_multiple_stack_majors(self): """``>=8.12.0`` (unbounded upper) must collect every overlapping stack major.""" manifests = {"pkg": {"1.0.0": _manifest(">=8.12.0")}} stack_majors = _stack_majors_supported_by_package(manifests["pkg"]) - self.assertEqual(stack_majors, {8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18}) + lo_major = 8 + expected = set(range(lo_major, lo_major + _MAX_UNBOUNDED_STACK_MAJOR_SPAN + 1)) + self.assertEqual(stack_majors, expected) def test_bounded_kibana_range_includes_upper_major(self): """``>=8.12.0 <9.1.0`` overlaps stack major 9 (9.0.x) and must include it.""" From 9adb920bf4437b08d054f93f9c945caa683f6340 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 5 Jun 2026 12:39:04 -0500 Subject: [PATCH 11/15] fix(rule): dedupe ES|QL related_integrations metadata package row Skip the metadata-only package entry when the ES|QL query already names a data stream for that package (e.g. azure.signinlogs). Kuery/EQL paths are unchanged. Adds regression tests for azure signinlogs and aadgraph. --- detection_rules/rule.py | 13 +++++++++- tests/test_integrations.py | 50 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 594c039705f..71bc37e7060 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1590,7 +1590,7 @@ def get_packaged_integrations( if ( integration in ineligible_integrations or isinstance(data, MachineLearningRuleData) - or (isinstance(data, ESQLRuleData) and integration not in datasets) + or (isinstance(data, ESQLRuleData) and _esql_metadata_package_row_needed(integration, datasets)) ): packaged_integrations.append({"package": integration, "integration": None}) @@ -1894,6 +1894,17 @@ def get_unique_query_fields(rule: TOMLRule) -> list[str] | None: return sorted({str(f) for f in parsed if isinstance(f, (eql.ast.Field | kql.ast.Field))}) # type: ignore[reportUnknownVariableType] +def _esql_metadata_package_row_needed(integration: str, datasets: set[str]) -> bool: + """Return True when an ES|QL rule needs a metadata-only package row.""" + # ES|QL extracts package.integration strings from the query while metadata tags the + # package name alone (e.g. azure). The old "integration not in datasets" check treated + # those as uncovered and appended a redundant package-only row alongside parse_datasets. + if integration in datasets: + return False + prefix = f"{integration}." + return not any(dataset.startswith(prefix) for dataset in datasets) + + def parse_datasets(datasets: list[str], package_manifest: dict[str, Any]) -> list[dict[str, Any]]: """Parses datasets into packaged integrations from rule data.""" packaged_integrations: list[dict[str, Any]] = [] diff --git a/tests/test_integrations.py b/tests/test_integrations.py index 5bb9bb94853..5d8db385f17 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -447,3 +447,53 @@ def test_azure_aadgraphactivitylogs_schema_floor(self): if "aadgraphactivitylogs" in schemas["azure"][version] ] self.assertEqual(floor_versions[0], "1.37.0") + + +class TestEsqlPackagedIntegrations(unittest.TestCase): + """ES|QL must not emit a redundant metadata package row when datasets cover the package.""" + + def test_metadata_package_row_needed_helper(self): + from detection_rules.rule import _esql_metadata_package_row_needed + + self.assertFalse(_esql_metadata_package_row_needed("azure", {"azure.signinlogs"})) + self.assertFalse(_esql_metadata_package_row_needed("aws", {"aws.cloudtrail", "aws.billing"})) + self.assertTrue(_esql_metadata_package_row_needed("azure", set())) + self.assertTrue(_esql_metadata_package_row_needed("aws_bedrock", set())) + + def test_esql_skips_metadata_package_when_query_names_data_stream(self): + from pathlib import Path + + from detection_rules.integrations import load_integrations_manifests + from detection_rules.rule import TOMLRuleContents + from detection_rules.utils import load_rule_contents + + path = Path("rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml") + rule = TOMLRuleContents.from_dict(load_rule_contents(path, single_only=True)[0]) + packaged = TOMLRuleContents.get_packaged_integrations(rule.data, rule.metadata, load_integrations_manifests()) + self.assertEqual(packaged, [{"package": "azure", "integration": "signinlogs"}]) + + def test_kql_signinlogs_rule_unchanged(self): + from pathlib import Path + + from detection_rules.integrations import load_integrations_manifests + from detection_rules.rule import TOMLRuleContents + from detection_rules.utils import load_rule_contents + + path = Path("rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml") + rule = TOMLRuleContents.from_dict(load_rule_contents(path, single_only=True)[0]) + packaged = TOMLRuleContents.get_packaged_integrations(rule.data, rule.metadata, load_integrations_manifests()) + self.assertEqual(packaged, [{"package": "azure", "integration": "signinlogs"}]) + + def test_esql_export_emits_one_related_integration_for_aadgraph_rule(self): + from pathlib import Path + + from detection_rules.rule import TOMLRuleContents + from detection_rules.utils import load_rule_contents + + path = Path("rules/integrations/azure/discovery_aad_graph_roadrecon_aitohttp_enumeration.toml") + rule = TOMLRuleContents.from_dict(load_rule_contents(path, single_only=True)[0]) + related = rule.to_api_format().get("related_integrations", []) + self.assertEqual(len(related), 1) + self.assertEqual(related[0]["package"], "azure") + self.assertEqual(related[0]["integration"], "aadgraphactivitylogs") + self.assertIn("^1.37.0", related[0]["version"]) From d4cc69cd9f9f2fa027813414b81e280605e34ddd Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 5 Jun 2026 13:02:06 -0500 Subject: [PATCH 12/15] test(integrations): drop brittle ES|QL rule-file export tests Remove file-path-based related_integrations tests that depend on local-only rule TOMLs and live manifest output. Keep the pure helper coverage for _esql_metadata_package_row_needed. --- tests/test_integrations.py | 38 -------------------------------------- 1 file changed, 38 deletions(-) diff --git a/tests/test_integrations.py b/tests/test_integrations.py index 5d8db385f17..d2745df5ddf 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -459,41 +459,3 @@ def test_metadata_package_row_needed_helper(self): self.assertFalse(_esql_metadata_package_row_needed("aws", {"aws.cloudtrail", "aws.billing"})) self.assertTrue(_esql_metadata_package_row_needed("azure", set())) self.assertTrue(_esql_metadata_package_row_needed("aws_bedrock", set())) - - def test_esql_skips_metadata_package_when_query_names_data_stream(self): - from pathlib import Path - - from detection_rules.integrations import load_integrations_manifests - from detection_rules.rule import TOMLRuleContents - from detection_rules.utils import load_rule_contents - - path = Path("rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml") - rule = TOMLRuleContents.from_dict(load_rule_contents(path, single_only=True)[0]) - packaged = TOMLRuleContents.get_packaged_integrations(rule.data, rule.metadata, load_integrations_manifests()) - self.assertEqual(packaged, [{"package": "azure", "integration": "signinlogs"}]) - - def test_kql_signinlogs_rule_unchanged(self): - from pathlib import Path - - from detection_rules.integrations import load_integrations_manifests - from detection_rules.rule import TOMLRuleContents - from detection_rules.utils import load_rule_contents - - path = Path("rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml") - rule = TOMLRuleContents.from_dict(load_rule_contents(path, single_only=True)[0]) - packaged = TOMLRuleContents.get_packaged_integrations(rule.data, rule.metadata, load_integrations_manifests()) - self.assertEqual(packaged, [{"package": "azure", "integration": "signinlogs"}]) - - def test_esql_export_emits_one_related_integration_for_aadgraph_rule(self): - from pathlib import Path - - from detection_rules.rule import TOMLRuleContents - from detection_rules.utils import load_rule_contents - - path = Path("rules/integrations/azure/discovery_aad_graph_roadrecon_aitohttp_enumeration.toml") - rule = TOMLRuleContents.from_dict(load_rule_contents(path, single_only=True)[0]) - related = rule.to_api_format().get("related_integrations", []) - self.assertEqual(len(related), 1) - self.assertEqual(related[0]["package"], "azure") - self.assertEqual(related[0]["integration"], "aadgraphactivitylogs") - self.assertIn("^1.37.0", related[0]["version"]) From 0919416c429e9a08993ff6fe8920ef8bc55ea1b1 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 5 Jun 2026 13:39:12 -0500 Subject: [PATCH 13/15] refactor(integrations): dedupe schema floor lookup and trim comments Hoist _integration_schema_floor() to remove duplicate minimum_schema calls in find_compatible_version_range. Shorten export-path comments after audit; no behavior change. --- detection_rules/integrations.py | 50 +++++++++++++++------------------ detection_rules/rule.py | 4 +-- tests/test_integrations.py | 6 +--- 3 files changed, 24 insertions(+), 36 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 466422b9729..09b47253dea 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -285,10 +285,8 @@ def find_latest_integration_patch_for_minor(packages: Iterable[str], major: int, # Sentinel written by ``parse_datasets`` when a rule indexes a package but not a data stream. UNKNOWN_PACKAGE_INTEGRATION = "Unknown" -# Cap stack majors collected from an unbounded Kibana clause (``>=X.Y.Z``). EPR caret/tilde -# ranges are always bounded today; this only applies if EPR ever emits an open-ended requirement. -# The exact value is not critical: ``find_compatible_version_range`` intersects with -# ``_shipped_stack_majors()`` so only backport lines we ship rules to are kept. +# Cap majors walked for unbounded Kibana clauses (``>=X.Y.Z``). Intersection with +# ``_shipped_stack_majors()`` keeps only backport lines we ship rules to. _MAX_UNBOUNDED_STACK_MAJOR_SPAN = 10 @@ -410,10 +408,7 @@ def _build_compatible_version_range(anchors: list[str]) -> CompatibleVersionRang sorted_anchors = tuple(sorted(set(anchors), key=Version.parse)) top_major = max(Version.parse(anchor).major for anchor in sorted_anchors) - # Forward sentinel: no manifest entry exists yet for (top_major + 1). Kibana accepts - # the caret and it prevents immediate incompatibility when a new package major ships - # before the next manifest refresh. Trade-off: breaking changes in that major would - # not surface until manifests/schemas update. + # Forward sentinel for the next integration major (no manifest entry yet). forward_anchor = f"{top_major + 1}.0.0" range_parts = [f"^{anchor}" for anchor in sorted_anchors] + [f"^{forward_anchor}"] return CompatibleVersionRange( @@ -490,22 +485,25 @@ def _collect_compatible_anchors( return anchors +def _integration_schema_floor( + package: str, + integration: str | None, + package_schemas: dict[str, Any], +) -> str | None: + """Oldest package version whose schema includes integration, when schemas are loaded.""" + if not integration or not package_schemas: + return None + return minimum_schema_package_version(package, integration, {package: package_schemas}) + + def find_compatible_version_range( package: str, packages_manifest: dict[str, Any], integration: str | None = None, ) -> CompatibleVersionRange: """Return a stack-invariant OR'd caret range for related_integrations.version.""" - # Resolve anchors from EPR manifests alone (no build-time stack version), OR the - # carets together, and append a forward sentinel for the next integration major. - # - # When integration is set, the manifest kibana condition only tells us whether the - # *package* installs on a stack, not whether a particular data stream exists yet - # (e.g. azure added aadgraphactivitylogs in 1.37.0 while 1.0.0 already installs - # on 8.19). integration-schemas.json.gz records streams per package version; skip - # versions that predate the stream when schema data exists, otherwise fall back to - # kibana compatibility alone (e.g. synthetic manifests in tests). Schemas are loaded - # lazily only when integration is set. + # One anchor per shipped stack major (no build-time stack), OR'd carets, forward sentinel. + # With integration set, filter by integration-schemas when present (data-stream floor). package_manifest = packages_manifest.get(package) if package_manifest is None: raise ValueError(f"Package {package} not found in manifest.") @@ -513,9 +511,9 @@ def find_compatible_version_range( package_schemas: dict[str, Any] = {} if integration: package_schemas = load_integrations_schemas().get(package, {}) + schema_floor = _integration_schema_floor(package, integration, package_schemas) integration_manifests = dict(sorted(package_manifest.items(), key=lambda x: Version.parse(x[0]))) - # Only walk stack majors we ship prebuilt rules to (stack-schema-map backport lines). stack_majors = _stack_majors_supported_by_package(integration_manifests) & _shipped_stack_majors() if not stack_majors: @@ -524,19 +522,15 @@ def find_compatible_version_range( anchors = _collect_compatible_anchors(integration_manifests, stack_majors, integration, package_schemas) if not anchors: - if integration and package_schemas: - schema_floor = minimum_schema_package_version(package, integration, {package: package_schemas}) - if schema_floor: - baseline = find_compatible_version_range(package, packages_manifest) - return apply_schema_version_floor(baseline, schema_floor) + if schema_floor: + baseline = find_compatible_version_range(package, packages_manifest) + return apply_schema_version_floor(baseline, schema_floor) package_label = f"{package}:{integration}" if integration else package raise ValueError(f"no compatible version for integration {package_label}") result = _build_compatible_version_range(anchors) - if integration and package_schemas: - schema_floor = minimum_schema_package_version(package, integration, {package: package_schemas}) - if schema_floor: - result = apply_schema_version_floor(result, schema_floor) + if schema_floor: + result = apply_schema_version_floor(result, schema_floor) return result diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 71bc37e7060..b80d9238ff6 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1896,9 +1896,7 @@ def get_unique_query_fields(rule: TOMLRule) -> list[str] | None: def _esql_metadata_package_row_needed(integration: str, datasets: set[str]) -> bool: """Return True when an ES|QL rule needs a metadata-only package row.""" - # ES|QL extracts package.integration strings from the query while metadata tags the - # package name alone (e.g. azure). The old "integration not in datasets" check treated - # those as uncovered and appended a redundant package-only row alongside parse_datasets. + # Metadata tags the package name; ES|QL datasets use package.stream (e.g. azure.signinlogs). if integration in datasets: return False prefix = f"{integration}." diff --git a/tests/test_integrations.py b/tests/test_integrations.py index d2745df5ddf..fdd909c189a 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -426,11 +426,7 @@ def test_schema_floor_excludes_legacy_zero_major(self): self.assertEqual(result.range, "^1.37.0 || ^2.0.0") def test_azure_aadgraphactivitylogs_schema_floor(self): - """aadgraphactivitylogs first appears in azure 1.37.0 and bumps RI anchors. - - Pinned to the committed integration-schemas.json.gz; update if the stream - introduction version shifts. - """ + """aadgraphactivitylogs floor is azure 1.37.0 (bundled integration-schemas.json.gz).""" from detection_rules.integrations import load_integrations_manifests, load_integrations_schemas schemas = load_integrations_schemas() From 6a37067e9025b4034909506a8e2d49742c2411d8 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 5 Jun 2026 13:58:45 -0500 Subject: [PATCH 14/15] fix(integrations): walk shipped stack lines for RI anchor collection Collect related_integrations anchors from each get_stack_versions() entry instead of synthesizing stack-major floors (e.g. 9.0.0). AWS 5.x/6.x require Kibana ^9.2+ and were missed, causing false version-mismatch warnings on 9.2+. --- detection_rules/integrations.py | 28 ++++++------------------ tests/test_integrations.py | 38 +++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 21 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 09b47253dea..a04be8de242 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -375,23 +375,6 @@ def _find_least_compatible_for_stack( return None -def _stack_version_for_major(stack_major: int, integration_manifests: dict[str, Any]) -> Version: - """Earliest stack version in stack_major that satisfies any manifest range.""" - major_lo = Version(stack_major, 0, 0) - major_hi = Version(stack_major + 1, 0, 0) - candidates: list[Version] = [] - - for manifest in integration_manifests.values(): - for lo, hi in _parse_kibana_range(manifest["conditions"]["kibana"]["version"]): - if hi is not None and hi <= major_lo: - continue - if lo >= major_hi: - continue - candidates.append(max(lo, major_lo)) - - return min(candidates) if candidates else major_lo - - @dataclass(frozen=True) class CompatibleVersionRange: """Stack-invariant related integration compatibility range.""" @@ -471,11 +454,14 @@ def _collect_compatible_anchors( integration: str | None, package_schemas: dict[str, Any], ) -> list[str]: - """Oldest compatible integration version per shipped stack major.""" + """Oldest compatible integration version per shipped stack version line.""" anchors: list[str] = [] - for stack_major in sorted(stack_majors): + for stack_version_str in get_stack_versions(): + stack_version = Version.parse(stack_version_str) + if stack_version.major not in stack_majors: + continue anchor = _find_least_compatible_for_stack( - _stack_version_for_major(stack_major, integration_manifests), + stack_version, integration_manifests, integration, package_schemas, @@ -502,7 +488,7 @@ def find_compatible_version_range( integration: str | None = None, ) -> CompatibleVersionRange: """Return a stack-invariant OR'd caret range for related_integrations.version.""" - # One anchor per shipped stack major (no build-time stack), OR'd carets, forward sentinel. + # One anchor per shipped stack version line (no build-time stack), OR'd carets, forward sentinel. # With integration set, filter by integration-schemas when present (data-stream floor). package_manifest = packages_manifest.get(package) if package_manifest is None: diff --git a/tests/test_integrations.py b/tests/test_integrations.py index fdd909c189a..01f102bb56d 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -12,6 +12,7 @@ from detection_rules.integrations import ( _MAX_UNBOUNDED_STACK_MAJOR_SPAN, + _find_least_compatible_for_stack, _majors_overlapping_kibana_clause, _parse_clause, _parse_kibana_range, @@ -20,6 +21,7 @@ find_compatible_version_range, find_latest_compatible_version, ) +from detection_rules.schemas import get_stack_versions def _manifest(kibana_version: str) -> dict: @@ -358,6 +360,42 @@ def test_keeps_zero_major_when_only_stable_option_missing(self): result = find_compatible_version_range("pkg", manifests) self.assertEqual(result.anchors, ("0.5.0",)) + def test_anchors_cover_each_shipped_stack_export(self): + """Each per-stack least-compatible anchor must appear in the OR range (Kibana semver.satisfies).""" + manifests = { + "pkg": { + "1.0.0": _manifest("^8.0.0"), + "2.0.0": _manifest("^9.2.0"), + "3.0.0": _manifest("^9.4.0"), + } + } + result = find_compatible_version_range("pkg", manifests) + for stack_version_str in get_stack_versions(): + stack_version = Version.parse(stack_version_str) + expected = _find_least_compatible_for_stack(stack_version, manifests["pkg"]) + if expected is None: + continue + self.assertIn( + expected, + result.anchors, + f"stack {stack_version_str} exported ^{expected} but anchors are {result.anchors}", + ) + + def test_aws_range_includes_late_stack_anchors(self): + """AWS 5.x/6.x require Kibana ^9.2+; walking 9.0.0 per major missed them.""" + from detection_rules.integrations import load_integrations_manifests + + manifests = load_integrations_manifests() + result = find_compatible_version_range("aws", manifests) + self.assertIn("5.0.0", result.anchors) + self.assertIn("6.0.0", result.anchors) + self.assertNotIn("1.5.0", result.anchors) + for stack_version_str in get_stack_versions(): + stack_version = Version.parse(stack_version_str) + expected = _find_least_compatible_for_stack(stack_version, manifests["aws"]) + self.assertIsNotNone(expected) + self.assertIn(expected, result.anchors, stack_version_str) + class TestFindCompatibleVersionRangeSchemaAware(unittest.TestCase): """Schema-aware data stream filtering ported from #6251 into OR-range export.""" From 429ab995a45de0160e917e1064281bee641b58ce Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 5 Jun 2026 16:08:17 -0500 Subject: [PATCH 15/15] fix(rule): dedupe NON_DATASET metadata RI rows when datasets cover package Skip redundant related_integrations rows for endpoint, windows, and other NON_DATASET_PACKAGES when the query already references package.* datasets. Extends ES|QL metadata dedupe to EQL/KQL rules. --- detection_rules/rule.py | 26 +++++++++++++++----------- tests/test_integrations.py | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 11 deletions(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index b80d9238ff6..866bc45fb62 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1583,14 +1583,14 @@ def get_packaged_integrations( if isinstance(rule_integrations, str): rule_integrations = [rule_integrations] for integration in rule_integrations: - ineligible_integrations = [ - *definitions.NON_DATASET_PACKAGES, - *map(str.lower, definitions.MACHINE_LEARNING_PACKAGES), - ] - if ( - integration in ineligible_integrations - or isinstance(data, MachineLearningRuleData) - or (isinstance(data, ESQLRuleData) and _esql_metadata_package_row_needed(integration, datasets)) + ml_packages_lower = set(map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)) + if isinstance(data, MachineLearningRuleData): + packaged_integrations.append({"package": integration, "integration": None}) + elif integration in definitions.NON_DATASET_PACKAGES: + if _metadata_package_row_needed(integration, datasets): + packaged_integrations.append({"package": integration, "integration": None}) + elif integration.lower() in ml_packages_lower or ( + isinstance(data, ESQLRuleData) and _metadata_package_row_needed(integration, datasets) ): packaged_integrations.append({"package": integration, "integration": None}) @@ -1894,15 +1894,19 @@ def get_unique_query_fields(rule: TOMLRule) -> list[str] | None: return sorted({str(f) for f in parsed if isinstance(f, (eql.ast.Field | kql.ast.Field))}) # type: ignore[reportUnknownVariableType] -def _esql_metadata_package_row_needed(integration: str, datasets: set[str]) -> bool: - """Return True when an ES|QL rule needs a metadata-only package row.""" - # Metadata tags the package name; ES|QL datasets use package.stream (e.g. azure.signinlogs). +def _metadata_package_row_needed(integration: str, datasets: set[str]) -> bool: + """Return True when a metadata-only package row is still required.""" + # Metadata tags the package name; query datasets use package.stream (e.g. endpoint.events.api). if integration in datasets: return False prefix = f"{integration}." return not any(dataset.startswith(prefix) for dataset in datasets) +# Backward-compatible alias for ES|QL export tests and callers. +_esql_metadata_package_row_needed = _metadata_package_row_needed + + def parse_datasets(datasets: list[str], package_manifest: dict[str, Any]) -> list[dict[str, Any]]: """Parses datasets into packaged integrations from rule data.""" packaged_integrations: list[dict[str, Any]] = [] diff --git a/tests/test_integrations.py b/tests/test_integrations.py index 01f102bb56d..a8f8cda098e 100644 --- a/tests/test_integrations.py +++ b/tests/test_integrations.py @@ -483,6 +483,43 @@ def test_azure_aadgraphactivitylogs_schema_floor(self): self.assertEqual(floor_versions[0], "1.37.0") +class TestMetadataPackageRowDedupe(unittest.TestCase): + """Skip redundant metadata package rows when query datasets already cover the package.""" + + def test_metadata_package_row_needed_helper(self): + from detection_rules.rule import _metadata_package_row_needed + + self.assertFalse(_metadata_package_row_needed("azure", {"azure.signinlogs"})) + self.assertFalse(_metadata_package_row_needed("aws", {"aws.cloudtrail", "aws.billing"})) + self.assertFalse(_metadata_package_row_needed("endpoint", {"endpoint.events.api"})) + self.assertFalse(_metadata_package_row_needed("windows", {"windows.sysmon_operational"})) + self.assertTrue(_metadata_package_row_needed("azure", set())) + self.assertTrue(_metadata_package_row_needed("aws_bedrock", set())) + self.assertTrue(_metadata_package_row_needed("endpoint", set())) + + def test_non_dataset_package_skips_metadata_row_when_query_has_datasets(self): + from pathlib import Path + + from detection_rules.integrations import load_integrations_manifests + from detection_rules.rule import TOMLRuleContents + from detection_rules.rule_loader import RuleCollection + + manifests = load_integrations_manifests() + rule = RuleCollection().load_file(Path("rules/windows/persistence_sysmon_wmi_event_subscription.toml")) + packaged = TOMLRuleContents.get_packaged_integrations(rule.contents.data, rule.contents.metadata, manifests) + packages = [entry["package"] for entry in packaged] + self.assertEqual(packages.count("endpoint"), 1) + self.assertEqual(packages.count("windows"), 1) + + api = rule.contents.to_api_format() + endpoint_rows = [row for row in api["related_integrations"] if row["package"] == "endpoint"] + windows_rows = [row for row in api["related_integrations"] if row["package"] == "windows"] + self.assertEqual(len(endpoint_rows), 1) + self.assertEqual(len(windows_rows), 1) + self.assertEqual(endpoint_rows[0]["version"], "^8.7.0 || ^9.0.0 || ^10.0.0") + self.assertEqual(windows_rows[0]["version"], "^1.0.0 || ^3.0.0 || ^4.0.0") + + class TestEsqlPackagedIntegrations(unittest.TestCase): """ES|QL must not emit a redundant metadata package row when datasets cover the package."""